Using the OKTA Authorization Server with Delve

How to setup OKTA authentication in Single Page App mode in order to use it instead of Delve's built-in authenticator.

Follow this guide to create your application inside OKTA so it can use your own authorization server to use Delve.  You must create a user account in Delve for each user authenticating via OKTA.  This account must be associated with the same email address in Delve and OKTA.

Following this configuration will also allow OKTA initiated login via the OKTA "My Apps" portal.

Step-by-step guide

  1. Login into your OKTA Admin account. The URL should be something like https://<company-name>.okta.com/
  2. Click on the Applications menu, then click Add Application button, then click on Create New App
  3. Select Single-Page App as your platform (sign-in method should be OpenID Connect).
  4. Fill the form with the following information:
    1. Name: Delve
    2. *optional* Base URIs: https://<delve-instance>.delvesecurity.app (alternatively if you're using the old URL it can be https://<delve-instance>.wardenscanner.com)
    3. Login Redirect URI:
      1. https://<delve-instance>.delvesecurity.app/okta-authorize (for Delve UI & API)
    4. Group assignments: Any group in your OKTA domain to which you want to give access to Delve
  5. Once completed, make sure the provided information is correct
  6. Send this info to Delve Labs by email (delve-support@delvesecurity.com) or by opening a ticket.
    1. OKTA Domain (e.g. company.okta.com)
    2. OKTA App Client ID

Delve expects an email address as the authentication identifier in order to match the OKTA identity to a Delve User (Delve users are identified with their email address as it appears in Delve under 'Settings>Users').

If your users login to Okta using email@domain.com; you likely do not require any Profile mapping changes in Okta.

⚠️ If your users login to Okta using an attribute other than an email, such as a userid (e.g. first.last); then you will need to update the Okta Profile for Delve using the steps below.

    *Optional* Update OKTA Profile Mappings to Pass Email as Login

    As noted in the warning section above, it might be necessary to create a custom Profile mapping in Okta to ensure that the email attribute is sent as the login variable to Delve.  This customization can be done in Okta on a per application basis.

    1.  In Okta, navigate to 'Applications>Delve', select the 'Sign On' tab, then select 'Configure profile mapping' in the 'Settings' section

    2.  In 'Delve User Profile Mappings', Select 'Okta User to Delve'

    3.  Select 'Override with mapping' option next to 'User is set by'... this will add a new row at the top of the attribute list

    4.  Choose the attribute 'email' (also shown as user.email), in the second column select 'Apply mapping on user create and update'

    5.  The updated attribute mapping show the following settings.

    6.  Select 'Save Mappings' and then 'Apply updates now' to save changes

    7.  Login to Delve using the Okta option with your Okta Domain