Provisioning Guide: Chorus.ai + Okta
We care deeply about ensuring we provide our customers with the highest level of security. One way to ensure your company’s Chorus instance is buttoned up is by using OKTA for single-sign on to Chorus. This also enables your organization to provision and de-provision access to Chorus for individual users in one single platform
This guide goes over the details of this feature, the configuration requirements, and step-by-step instructions to configure Provisioning for Chorus.ai.
The following provisioning features are supported:
- Push New Users
- New users created through OKTA will also be created in ChorusPush Profile Updates
- Push Profile Updates
- Updates made to the user's profile through OKTA will be pushed to Chorus
- Push User Deactivation
- Deactivating the user or disabling the user's access to the application through OKTA will deactivate the user in Chorus
- Note: For this application, deactivating a user means removing access to login, but maintaining the user's Chorus information as an inactive user
- Reactivate Users
- User accounts can be reactivated in Chorus
Before you configure provisioning for Chorus.ai, you must reach out to the Chorus.ai Support team (firstname.lastname@example.org) to activate the feature.
Step-by-Step Configuration Instructions
To get started, reach out to the Chorus Support team(email@example.com) and let them know you want to use Okta for login and user provisioning. A Support representative will provide you with an API token specific to your organization.
- Check the Enable provisioning features box.
- Click Configure API Integration.
- Check the Enable API integration box.
- Enter the API Token provided by Chorus Support.
- Click Test API Credentials; if successful, a verification message appears at the top of the screen.
- Click Save.
- Select To App in the left panel, then select the Provisioning Features you want to enable.
- Click Save.
- You can now assign people to the app (if needed) and finish the application setup.
- When assigning users or groups, Chorus.ai app attributes must be selected for Chorus Role and Chorus License Type.
Chorus.ai app was updated in February 2020 to provide a better overall experience to Okta customers. This section is relevant only If you already have an existing Chorus application from the Okta Integration Network, otherwise skip it.
- Attribute Members ‘Chorus Role’ changed to support the new roles on chorus.ai website.
To take advantage of these updates, you have to add a new instance of the Chorus.ai app in your Okta org. Follow the steps below to migrate from that old instance to a newly updated instance:
- Login to your Okta org as an Admin.
- Open the Admin UI.
- Click on Add Applications.
- Add a new instance of Chorus.ai.
- Configure the application including Provisioning. See earlier section on: Step-by-Step Configuration Instructions.
- After SCIM Provisioning has been enabled, go to the Assignments tab of your new Chorus.ai app instance. Click Assign and start assigning the same users/groups that are assigned to your old Chorus.ai instance. Make sure you assign all the users to your new Chorus.ai instance to avoid any accidental de-provisioning/loss of access for your users.
- Go back to your Admin Dashboard.
- Open your old Chorus.ai app instance. NOTE! This is the previous Chorus.ai app you added before adding a new one in step 4.
- Go to the Provisioning tab.
- On the SETTINGS section, click on API.
- Click on Edit and uncheck Enable API Integration. Click Save.
- You can now deactivate or delete your old Chorus.ai app instance and continue using the new app that you added.
- If you were using SAML as the sign-on mode for your old Chorus.ai app instance, you will need to set up SAML on your new app instance in Okta (recommended) or maintain the old app instance to ensure that the SAML functionality continues to work.
- Setting up SAML guide:
Follow the steps below to set up Manager provisioning:
- In Okta, go to the Chorus application > Provisioning > To App
- Under Create Users, add a new user.
- Under Attribute Mappings, you can see all attributes and set their values.
- The Manager attribute should be populated with the manager’s email, not other ID fields.
- Select Map from Okta Profile to automatically push this information into Chorus.
- When new users are assigned Chorus, their manager email will be applied by default and assigned in Chorus automatically.
Manually changing user’s manager in Okta
Edit a user in Okta to set a different manager's email address to automatically push to Chorus.
Automatically update Teams in Chorus
If you have successfully added manager to provisioning in Okta, for every user that is created or updated with the manager field, your Teams in Chorus are updated automatically.
- Initial activation of Okta provisioning in Chorus.ai requires contacting Chorus.ai Support, (firstname.lastname@example.org). Please reach out with any questions during your configuration process.
- Chorus.ai does not support modifications to the username or email address.
- Note: When users are deactivated in Okta, they will be deactivated in Chorus. Users will not be able to login to the application, but their data will remain available as an ‘inactive user’. To permanently delete user data, contact Chorus.ai Support, (email@example.com).
All done Provisioning Chorus for Okta? Proceed to the next step: Set Up Organization Settings