Getting Started

Endpoints

Patch Management

Vulnerability Management

Software Deployment & IT Assets

Automation & Remote Desktop

Real-Time Reports & Alerts

Account Access & Management

SSO Authentication

Security Concerns

Need Help?

Action1 5 Documentation 5 SSO Authentication with Okta

SSO Authentication with Okta

To provide easy and secure access to Action1 console, Action1 enables users to log in using single sign-on (SSO) instead of maintaining Action1-specific user credentials. This section explains how to configure SSO with Okta as an identity provider.

NOTE: Make sure that user accounts are already created in Okta.

Stage 1: Configure App Integration in Okta

  1. Sign in to the Okta console as an administrator.
  2. Navigate to Applications and click Create App Integration.

 

Create a new app integration in Okta using the wizard.
  1. Follow the app integration wizard:
    • In the Sign-in method section, select OIDC – Open ID Connect
    • In the Application type section, select Web Application.

 

Select sign-in method and app type for new integration.
  1. Then, in the app’s General settings, configure the following:
    • In the App integration name, provide a meaningful name, e.g., Action1 Okta App.
    • In the Grant type, select Refresh Token. Leave Authorization Code enabled by default.
    • Set the Sign-in redirect URIs according to your Action1 region:
      • For North America, enter: https://app.action1.com/sso/login
      • For Europe, enter: https://app.eu.action1.com/sso/login
      • For Australia, enter: https://app.au.action1.com/sso/login
    • In the Assignments, set Controlled access to  Skip group assignment for now.
  2. Click Save.
  3. In Okta console, navigate to the app integration you created to open its properties.
  4. On the General tab, go to Client Credentials > Proof Key for Code Exchange (PKCE) and select Require PKCE as additional verification.
  5. Copy Client ID and Secret – you will need them later in Action1 settings.
Copy client credentials.
  1. Then open the Assignments tab, click Assign, and specify Okta users who will use this integration to log in to Action1.
Assign Okta user accounts to use the integration.
  1. Now, in Okta console navigation sidebar, go to Security | API. On the Authorization Servers tab, copy Issuer URI – you will need it later in Action1 settings.
Copy Issuer URI of the new integration in Okta.
  1. Click Add Authorization Server and navigate to Access Policies. Click Add New Access Policy to create a new one. Provide its name and description, select to assign it to All clients, and click Create Policy.
Create a new access policy for the integration in Okta.
  1. Then select that new policy from the list, click Edit, and click Add rule. Provide the rule name and proceed with the default settings to allow access for the assigned users:
Create a new rule for assignment policy in Okta.

NOTE: You can configure other rule settings (e.g., refresh token time) according to the IT policies implemented in your infrastructure.

Stage 2: Enable SSO with Okta in Action1 Console

When you sign up for Action1, you have to create the initial Action1 credentials (without SSO). By default, this initial account has an Enterprise Admin role in Action1. Then you can use this privileged account to invite the existing accounts from your organization’s Okta.

After creating the initial Action1 credentials while signing up, follow these steps to enable Okta SSO:

  1. Log in to Action1 using your initial Action1 credentials (do not click Okta during login).

Important! Do not click Okta during this login.

  1. Navigate to the Advanced page and select Identity Provider.
  2. Select Okta from the list of identity providers.
  3. Enter Client IDClient Secret, and Issuer URI of your Okta application (see steps 7-9 from Stage 1 above).
  4. Keep the scope set to Enterprise.
  5. Click Save.

With these settings changed, all new Action1 users will use Okta to sign in. To learn how to switch the existing Action1 users to SSO with Okta, see “Switching existing Action1 users to SSO with Okta” section below.

Using Advanced settings in the console to configure Okta as identity provider.

Important! Keep the initial non-SSO Action1 credentials for emergency recovery purposes, in case you lose access to Okta. Store these credentials securely, as they have Enterprise Admin access by default.

Stage 3: Invite Okta Users to Action1

Now you can invite your Okta users to work with Action1, accessing it with their Okta credentials and SSO.

  1. Open the Action1 console.
  2. Navigate to the Users & API Credentials page and click +Invite User.
  3. In the Invite New User dialog, provide the user settings, then click Invite.

 

Switching Existing Action1 Users to SSO with Okta

This procedure explains how to switch your existing Action1 users to SSO with their Okta accounts.

Important! To perform the required steps, an account with the Enterprise admin role in Action1 is required. Make sure you have at least one Enterprise admin present; otherwise, admin account access will be lost. You can also create a secondary Enterprise admin or elevate another user to the Enterprise admin role.

Before you start, make sure these users already exist in Okta. Otherwise, proceed to Okta to create user accounts.

Important! To migrate to SSO with Okta, the Action1 user accounts need first to be deleted. The users will be unable to access Action1 until the process is completed.

  1. Navigate to the Users & API Credential page in the Action1 console.
  2. Locate the user account you want to switch to SSO with Okta. If this user has an Action1 role assigned, make sure to revoke this role.
  3. Select Delete. Alternatively, set the user’s email to non-existent, such as [email protected].
  4. Invite the user again into Action1 by sending an invite link, as described in the “Stage 3: Invite Okta Users to Action1” section above.