1. Help Center
  2. Security & Access Management

Identity Federation using OIDC or SAML

This feature is available to all customers with an active ProsperOps subscription. If you are interested in enabling this feature, please reach out to help@prosperops.com.

Introduction

ProsperOps supports several methods for logging in to our console:

  1. Email and password unique to ProsperOps
  2. Integrated authentication using Google credentials
  3. Identity federation using an OIDC- or SAML-compliant identity provider (IdP), e.g. Okta, Azure AD, etc.

This article provides the steps necessary to configure OIDC- or SAML-compliant identity federation. While any OIDC- or SAML-compliant IdP will work, we've provided setup instructions below for the most common IdPs. It's likely that you'll need a member of your IT team (or whichever group administers your IdP) to assist you with the configuration.

If you have any questions during the setup process, please reach out to help@prosperops.com.

Configuring Okta

  1. Log in to the Okta Administrator Console
  2. Go to Directory and create three new groups: ProsperOpsViewerProsperOpsEditor, and ProsperOpsOwner (these group names are case-sensitive).
    • If you have a corporate group naming standard that necessitates a different naming scheme, you may use custom group names.  
  3. Go to Applications > Add Application > Create New App.
  4. Select the Web platform and OpenID Connect sign-on method and click Create.
  5. Under Create OpenID Connect App Integration, enter the following and click Save.
    1. Application Name: ProsperOps
    2. Login Redirect URI: https://login.prosperops.com/login/callback
  6. Copy the Client ID and Okta Domain. You'll send those to us in a later step.
  7. Go to the General tab and look at the Application section. Check Implicit Hybrid and Allow ID Token with implicit grant type.
  8. Go to the Sign On tab and edit the Groups claim filter to only include groups that start with ProsperOps. If you created custom group names in step 2, instead create a filter that at least matches the three ProsperOps access groups in your Okta directory (for example, a regex match of .* will transmit all groups a user is a member of). Click Save.
  9. Go to the Assignments tab and assign the three ProsperOps groups you created in step 2 above.
  10. Populate the three ProsperOps groups created in step 2 with appropriate users. If you have local ProsperOps users, you can reference the user and role mappings on our User Management page to understand current levels of access. Once identity federation is enabled, all local ProsperOps users will be removed.
    Note: If a user is added to more than one group mapped to a ProsperOps role, the group granting the highest level of access takes precedence.
  11. In your email system, create an email distribution list (e.g. prosperops-users@mycomany.com) which will be used for all automated email notifications from the ProspserOps service (e.g. monthly summary emails, AWS account access alerts, etc.). If possible, we recommend you configure synchronization so the email distribution list always contains whatever members are in the three ProsperOps access groups.
  12. Email help@prosperops.com with the following:
    • Information you gathered in step 6 above (the data is not sensitive and does not require a secure transit channel).
    • The email distribution list created in step 11 above
    • The email address that should receive billing communications for your account (if not already configured)
    • If applicable, the custom group names from step 2 above

    We'll configure your company for identity federation in our system and provide you with steps to test the experience once configured.

    If you want your end users to be able to login to the ProsperOps Console via the Okta application launcher, configure a bookmark app using the Login URL provided on the ProsperOps User Management page.

    Configuring other identity providers

    Contact help@prosperops.com for instructions.