Cerby

- Workspace Owners, Super Admins, and Admins
- Only supported using the Cerby web app

As a workspace Admin, Super Admin, or Owner, you can turn on the <a href="https://help.cerby.com/en/articles/9616265-explore-extended-account-access">Extended account access</a> feature for your Cerby workspace configured with Okta as the identity provider (IdP).

With this feature, you and all workspace members can sync the accounts they own to access them from their Okta dashboard powered by Cerby’s automated login.

The following are the requirements to turn on the Extended account access feature:

A user account in Okta with the following roles:

- <a href="https://support.okta.com/help/s/article/What-are-Application-Administrator-roles-and-permissions?language=en_US" rel="nofollow noopener noreferrer" target="_blank">Application Administrator</a> to create and manage app integrations in your Okta tenant
- <a href="https://help.okta.com/en-us/content/topics/security/administrators-read-only-admin.htm" rel="nofollow noopener noreferrer" target="_blank">Read-only Administrator</a> to read Okta groups

A user account in Cerby with the workspace Admin, Super Admin, or Owner role

A Cerby workspace configured with Okta as the IdP and the following features enabled:

- Single sign-on (SSO) authentication using a Security Assertion Markup Language (SAML) integration
- User provisioning using the System for Cross-domain Identity Management (SCIM) specification

Users provisioned from Okta to Cerby. Optionally, you can also provision Okta groups

The Extended account access feature enabled by our Customer Support team. You can contact us via email at <a href="mailto:support@cerby.com" rel="nofollow noopener noreferrer" target="_blank">support@cerby.com</a>

An Okta API token created for configuring and turning on this feature. For instructions on how to create or retrieve the token, read the official documentation <a href="https://help.okta.com/en-us/content/topics/security/api.htm#create-okta-api-token" rel="nofollow noopener noreferrer" target="_blank">Manage Okta API tokens ​</a>Additionally, set the corresponding <a href="https://support.okta.com/help/s/article/API-Token-Rate-Limit-Violation?language=en_US" rel="nofollow noopener noreferrer" target="_blank">rate limits</a> for the following API endpoint:

- A user account in Okta with the following roles:
 - <a href="https://support.okta.com/help/s/article/What-are-Application-Administrator-roles-and-permissions?language=en_US" rel="nofollow noopener noreferrer" target="_blank">Application Administrator</a> to create and manage app integrations in your Okta tenant
 - <a href="https://help.okta.com/en-us/content/topics/security/administrators-read-only-admin.htm" rel="nofollow noopener noreferrer" target="_blank">Read-only Administrator</a> to read Okta groups
- A user account in Cerby with the workspace Admin, Super Admin, or Owner role
- A Cerby workspace configured with Okta as the IdP and the following features enabled:
 - Single sign-on (SSO) authentication using a Security Assertion Markup Language (SAML) integration
 - User provisioning using the System for Cross-domain Identity Management (SCIM) specification
- Users provisioned from Okta to Cerby. Optionally, you can also provision Okta groups
- The Extended account access feature enabled by our Customer Support team. You can contact us via email at <a href="mailto:support@cerby.com" rel="nofollow noopener noreferrer" target="_blank">support@cerby.com</a>
- An Okta API token created for configuring and turning on this feature. For instructions on how to create or retrieve the token, read the official documentation <a href="https://help.okta.com/en-us/content/topics/security/api.htm#create-okta-api-token" rel="nofollow noopener noreferrer" target="_blank">Manage Okta API tokens ​</a>Additionally, set the corresponding <a href="https://support.okta.com/help/s/article/API-Token-Rate-Limit-Violation?language=en_US" rel="nofollow noopener noreferrer" target="_blank">rate limits</a> for the following API endpoint:
 - <code>/api/v1/apps*</code>

To turn on the Extended account access feature for Okta, you must complete the following steps:

Log in to your <a href="https://app.cerby.com/" rel="nofollow noopener noreferrer" target="_blank">Cerby</a> workspace using your web browser.

Select the Settings option from the left navigation drawer. The Workspace Configuration page is displayed.

Activate the IDP Settings tab. The Identity Provider Settings section is displayed, as shown in Figure 1.

Screenshot of the Workspace Configuration page with the IDP Settings tab activated. In the Extend Cerby accounts to Okta section, you can turn on this feature

Figure 1. Identity Provider Settings section in the IDP Settings tab of the Workspace Configuration page

Turn on the switch from the Extend Cerby accounts to Okta section.

Confirm your identity according to your multi-factor authentication (MFA) method:

- <a href="https://help.cerby.com/en/articles/9462605-confirm-your-identity-with-cerby-s-mfa-methods#h_f2f6b354f7">Push notification on the Cerby mobile app</a>
- <a href="https://help.cerby.com/en/articles/9462605-confirm-your-identity-with-cerby-s-mfa-methods#h_1f5622eac0">Email magic link</a>

The Turn on extended account access? dialog box is displayed.

Enter the corresponding values in the following input fields:

- IDP Domain: It is the domain of your Okta tenant configured with your Cerby workspace.
 IMPORTANT: You must include the protocol part (<code>https://</code>) of the URL. For example, <code>https://mycompany.okta.com</code>.
- API Token: It is the token that you generated or retrieved previously as part of the <a href="#h_5c2b8ba946">Requirements</a> section. For instructions, read the official documentation <a href="https://help.okta.com/en-us/content/topics/security/api.htm#create-okta-api-token" rel="nofollow noopener noreferrer" target="_blank">Manage Okta API tokens</a>.

TIP: You can click the Test connection button to verify that Cerby can connect with Okta.

Click the Turn on button. The dialog box closes, and a success message box is displayed.

1. Log in to your <a href="https://app.cerby.com/" rel="nofollow noopener noreferrer" target="_blank">Cerby</a> workspace using your web browser.
2. Select the Settings option from the left navigation drawer. The Workspace Configuration page is displayed.
3. Activate the IDP Settings tab. The Identity Provider Settings section is displayed, as shown in Figure 1.
 
 Screenshot of the Workspace Configuration page with the IDP Settings tab activated. In the Extend Cerby accounts to Okta section, you can turn on this feature
 Figure 1. Identity Provider Settings section in the IDP Settings tab of the Workspace Configuration page
 
4. Turn on the switch from the Extend Cerby accounts to Okta section.
5. Confirm your identity according to your multi-factor authentication (MFA) method:
 - <a href="https://help.cerby.com/en/articles/9462605-confirm-your-identity-with-cerby-s-mfa-methods#h_f2f6b354f7">Push notification on the Cerby mobile app</a>
 - <a href="https://help.cerby.com/en/articles/9462605-confirm-your-identity-with-cerby-s-mfa-methods#h_1f5622eac0">Email magic link</a>
 The Turn on extended account access? dialog box is displayed.
6. Enter the corresponding values in the following input fields:
 - IDP Domain: It is the domain of your Okta tenant configured with your Cerby workspace.
 IMPORTANT: You must include the protocol part (<code>https://</code>) of the URL. For example, <code>https://mycompany.okta.com</code>.
 - API Token: It is the token that you generated or retrieved previously as part of the <a href="#h_5c2b8ba946">Requirements</a> section. For instructions, read the official documentation <a href="https://help.okta.com/en-us/content/topics/security/api.htm#create-okta-api-token" rel="nofollow noopener noreferrer" target="_blank">Manage Okta API tokens</a>.
 TIP: You can click the Test connection button to verify that Cerby can connect with Okta.
7. Click the Turn on button. The dialog box closes, and a success message box is displayed.

Now you are done. You and all workspace members can start syncing and extending their accounts to Okta. For instructions, read the article Sync and extend an account to Okta.

This article describes how to turn on the Extended account access feature for accessing your apps from Okta with Cerby's automated login.

Requirements

Turn on Extended account access for Okta