BlastShield Documentation

1. Find your Okta domain and copy it. To find your Okta URL (also called an Okta domain), sign in to your Okta organization with your administrator account, and look for the Okta domain in the global header located in the upper-right corner of the dashboard.

2. Open the BlastShield™ Orchestrator and from the settings menu on the left, go to the “Identity Provider” settings page..

   1. Click on the Enable External Identity Provider checkbox.

   2. Under USER AUTHENTICATION METHOD, select the option for BlastShield Authenticator:

   3. In the OpenID configuration section, enter your Okta tenant domain (i.e mycorporation.okta.com) as the “Domain”. Make sure to leave out any trailing slashes.

3. In Okta, click “Create App Integration” and select “OIDC - OpenID Connect” followed by “Web Application” and click “Next”.

   1. Name the App integration “BlastShield OIDC”.

   2. Find the "Redirect URI" from the OpenID configuration in the BlastShield™ Orchestrator. This is in the format https://<your-domain>.blastshield.app/api/signin-authorized and is located as shown here:

   3. Copy the “Redirect URI” from the BlastShield™ Orchestrator and paste it in as the “Sign-in redirect URI” in Okta. Remove any default “Sign-out redirect URIs”.

4. Under “Assignments” select your preferred option and click “Save”.

5. Copy the “Client ID” and the generated “Client Secret” from Okta and paste it into the corresponding text fields in BlastShield.

6. Click “Back to Applications”.

1. In Okta, click “Create App Integration” and select “SWA - Secure Web Authentication” and click “Next”.

2. Enter BlastShield SCIMas the “App name” and copy the “REGISTRATION PORTAL > Registration URL” from the BlastShield Orchestrator and enter it as the “App’s login page URL” in Okta and click “Finish”.

3. Click on the “General” tab and select “Edit” in the “App settings” box. Select “Enable SCIM provisioning” and click “Save”.

4. Click on the “Provisioning” tab and select “Edit” next to “SCIM Connection”.

   1. Copy the “SCIM Endpoint” from BlastShield and enter it as the “SCIM connector base URL” in Okta.

   2. Enter userName as the “Unique identifier field for users”.

   3. Under “Supported provisioning actions”, check “Push New Users”, “Push Profile Updates” and “Push Groups”.

   4. Select “HTTP Header” as the “Authentication Mode”.

   5. In BlastShield, click the “Generate Token” button and copy the token to the clipboard. Click “Save Changes” before going back to Okta.

   6. Paste the copied token into “Authorization” field and click on “Test Connector Configuration”.

5. Make sure that the test results show “Connector configured successfully”, then click “Save”.

6. Click “Edit” next to “Provisioning to App” and enable “Create Users”, “Update User Attributes” and “Deactivate Users”, then click “Save”.

7. Click on the “Assignments” tab and assign the users and/or groups that you want to give access to your BlastShield Network.

8. Optionally click on the “Push Groups” tab and push the groups that you want to import into BlastShield.

New users provisioned by the Identity Provider are registered via the the BlastShield™ registration SSO portal. The BlastShield™ registration URL is unique to your deployment and is specified in the Identity Provider > REGISTRATION PORTAL > Registration URL attribute in the Orchestrator as shown here:

Use the following process to register each user.

1. The new user should open the BlastShield™ Registration URL https://<your-domain>.blastshield.app in their browser.

2. Click on Sign in.

3. Then login with the regular company SSO credentials.

4. Scan the displayed QR code with the authenticator app.

5. Complete the biometric check when prompted.

6. The user will then be registered on the BlastShield™ network.