Steps to Create Okta Tenant Admin For SaaS Environments in GCP

book

Article ID: 195403

calendar_today

Updated On:

Products

Clarity PPM SaaS

Issue/Introduction

This article contains the steps to create an Okta Tenant Admin account and the necessary configuration steps. 

Cause

These steps are required because a Clarity user cannot be an Okta Tenant Admin. Clarity users are added under non MFA(Multi Factor Authentication) group and for Okta, the Tenant Admin needs MFA group.

Environment

Clarity PPM SaaS Environments in GCP

Resolution

Procedure for Tenant Admin creation by Broadcom 

As part of SSO on-boarding process, Customer will provide the email address of the administrators that are designated as Tenant Administrators

Broadcom will provision a new account in OKTA by appending -admin to the username. For example, if customer provides [email protected], Broadcom will generate a new account as [email protected] while keeping the email as [email protected]

Broadcom will assign “Admin” privileges to the new user account in “Self Service” Portal for specific customer group(s)

Procedure to activate account and login to Broadcom OKTA as Administrator and manage users - To be followed by customer Administrator

  1. Tenant Administrator will receive an activation email (The username will have -admin appended to the original email)

  2. Customer's Tenant Administrator can trigger the activation process by clicking on the link and setting password credentials and other settings
  3. Once the account is created user is landed on Broadcom Home Page
  4. Login to Broadcom OKTA SSO Portal (https://avagoext.okta.com/) with the new Administrator account
  5. Click “Setup” to configure MFA. Tenant Administrator can use 1 of the 3 options to setup MFA (Email, SMS or OKTA Verify Mobile App)
  6. All 3 options are described here. Administrator can enroll in all factors or just one.
  7. Option 1: EMAIL
    1. For Email Verification option “Send me the code” will send activation code to the email.
    2. Enter verification code received in email
  8. Option 2: SMS
    1. For SMS option, code will be sent to the cell phone.
  9. Option 3: OKTA App.
    1. For “OKTA App” option, Administrator has to download OKTA app and setup MFA
  10. Select device and setup app on the mobile phone
  11. Once the app is setup on the Administrator phone, add the account to the app using the scan barcode.
  12. OKTA verify is checked to indicate MF is setup
  13. To login to the account , use the “Send push” option or enter code from the app
  14. Once on the Broadcom OKTA dashboard click on “Admin” link on top of the screen.
  15. Administration interface is displayed where user management tasks can be performed by Administrator.
  16. Any subsequent login to admin interface will trigger MFA authentication process.

Note: Customer should not add the new administrator account with “-admin” suffix to their IDP. The reason is once the new admin account access Broadcom OKTA via SSO, MFA (Multi-Factor Authentication) mode is removed (As administrator is logging via Customer IDP and MFA challenge is removed). But Admin privileges need MFA Authentication. For this reason, make sure the administrator account is not accessing the system via IDP SSO login.

Additional Information

When running into issues changing or adding a user in Okta for Clarity SaaS, see KB 193500

Also see KB: 141061 for tips on how to optimize use of Self Service for Clarity PPM