This article contains the steps to create an Okta Tenant Admin account and the necessary configuration steps.
These steps are required because a Clarity user cannot be an Okta Tenant Admin. Clarity users are added under non MFA(Multi Factor Authentication) group and for Okta, the Tenant Admin needs MFA group.
Clarity PPM SaaS Environments in GCP
As part of SSO on-boarding process, Customer will provide the email address of the administrators that are designated as Tenant Administrators
Broadcom will provision a new account in OKTA by appending -admin to the username. For example, if customer provides [email protected], Broadcom will generate a new account as [email protected] while keeping the email as [email protected]
Broadcom will assign “Admin” privileges to the new user account in “Self Service” Portal for specific customer group(s)
Note: Customer should not add the new administrator account with “-admin” suffix to their IDP. The reason is once the new admin account access Broadcom OKTA via SSO, MFA (Multi-Factor Authentication) mode is removed (As administrator is logging via Customer IDP and MFA challenge is removed). But Admin privileges need MFA Authentication. For this reason, make sure the administrator account is not accessing the system via IDP SSO login.
When running into issues changing or adding a user in Okta for Clarity SaaS, see KB Okta User Change Requests for Clarity SaaS
Also see KB: Searching for known Clarity Issues using Self Service for tips on how to optimize use of Self Service for Clarity PPM