Adding an existing OKTA user to our tenant in GCP and using the SaaS Sync Users job

book

Article ID: 211693

calendar_today

Updated On:

Products

Clarity PPM SaaS

Issue/Introduction

We need to add an existing OKTA user (a 3rd party partner) to our tenant in OKTA.

Since this user already exists in OKTA, we cannot add the user to our OKTA tenant.

The documentation mentions the SaaS Sync Users Job.

However, it is not enabled for us.  How can we get this job enabled?

Environment

Release : 15.9.1, 15.9.2, 15.9.3

Component : ODEVCL, ODESSO

Resolution

Open an RITM and request the following.

Please be sure to provide the hostname and schema

Adding The System Options

DevOps will need to update the CMN_OPTIONS and CMN_OPTION_VALUES table with the appropriate system options for the particular Clarity instance in order for the SaaSUserSyncJob to work. The easiest way to do this is using the admin command for Clarity:

  1. admin system-options -add SAAS_SYNC_USER_GROUP <Okta user group for the Clarity instance>
    1. Ex.) admin system-options -add SAAS_SYNC_USER_GROUP ClarityPPM.MyBank.cppm1234.prod
  2. admin system-options -add SAAS_SYNC_API_TOKEN <Okta API token for the group administrator for the user group for the Clarity instance>
    1. Ex.) admin system-options -add SAAS_SYNC_API_TOKEN 00HGtB1yLdgazpgHkTN8qYBGyuuT9UlLVFuUzWSk9j
    2. Note: Okta API Tokens are generated in Okta for the user created that is the group administrator for the Clarity user group.
  3. admin system-options -add SAAS_SYNC_IDP_URL <URL to Okta REST APIs>
    1. Ex.) admin system-options -add SAAS_SYNC_IDP_URL https://broadcomext.oktapreview.com/api/v1

Additional Information

https://techdocs.broadcom.com/us/en/ca-enterprise-software/business-management/clarity-project-and-portfolio-management-ppm-on-premise/15-9-2/reference/clarity-ppm-authentication-methods/Clarity-SaaS-Authentication.html
Non-Federated User Creation in Okta
The SaaS User Sync job enables Clarity SaaS customers to synchronize Clarity users with Broadcom Okta and assign them to the appropriate Okta groups. Administrators should manually schedule this job to run regularly. In Clarity 15.9.1 and future releases, customers do not need to log in to Okta as tenant admin to add users. The SaaS User Sync job reads all users from Clarity that have not been synced previously and then performs the following actions:
Check if the Clarity user exists in Okta.
  • If the username is not in the form of an email address, the user is skipped.
  • If the user exists and is in the appropriate Okta group, then the job will not make any changes.
  • If the user exists but is not in the appropriate Okta user group, the job will add the user to the appropriate Okta user group.
  • If the user does not exist in Okta, the job will create the user and add them to the appropriate Okta user group.
  • If user status in Clarity is "inactive", then the job removes the user from the Okta user group, thus revoking their access to the Clarity PPM instance. The user will be marked as not having been synced in case they are reactivated at a future date. 
 
To learn more about the SaaS User sync job, see Clarity Jobs Reference. If you are using older releases of Clarity, or want to create users manually as an Okta tenant admin, follow the steps given below. To learn more about creating an Okta tenant admin, see Creating an OKTA Tenant Admin.
From Clarity, create the non-federated user via the “Resources” section under Administration