Okta SSO
Files.com supports Single Sign-On with Okta using either SAML or OpenID Connect (OIDC). We recommend using SAML if possible, because it is a more robust integration technology that supports more use cases, and it also offers seamless user and group provisioning using SCIM. Both sets of instructions are presented here. Note that you can also have more than one Okta instance or app connected to your Files.com site.
Okta SSO via SAML
Below are the instructions for adding Files.com as an application in Okta for SAML integration.
Adding Files.com in Okta via SAML
After logging in to your Okta account as an administrator, navigate to Applications and click the Create App Integration button.
From the Create a new app integration window, select SAML 2.0 as Sign-in method and click Next.
In the form, enter "Files.com" in the App name field and click Next.
Complete the form using the following values (leave other fields at their defaults):
| Field | Value |
|---|---|
| Single sign-on URL | https://app.files.com/saml/consume |
| Audience URI (SP Entity ID) | https://app.files.com/saml/metadata |
| Default RelayState | [SUBDOMAIN].files.com (Replace [SUBDOMAIN] with your Files.com subdomain). |
| Name ID format | EmailAddress |
| Application username | |
| Update application username on | Create and Update |
Then click Next, choose I'm an Okta customer adding an internal app (leave other fields at their defaults), and click Finish.
On the App details Sign On page, copy the Identity Provider metadata URL. You will need this URL when adding Okta in Files.com.
Adding Okta in Files.com via SAML
Select Okta from the SSO providers list, then select Use SAML, and enter the Display Name.
There are three different ways you can connect to SAML provider as below. Choosing the correct method depends on your requirements. The Metadata URL is the simplest option as it automatically handles updates, such as certificate renewals or changes to service provider URLs. For example, if Okta’s certificate expires, the Metadata URL will automatically update, while Metadata XML or Certificate Fingerprint requires manual updates. If automatic updates are not required, Metadata XML works well but requires manual intervention when changes occur. Certificate Fingerprint is the most manual option, giving more control over updates but requiring more effort to manage in the long-term.
Using Metadata URL
Paste the Identity Provider metadata URL you copied from Okta into the Metadata URL field.
Using Metadata XML file
If you need to use metadata XML file to connect to Okta via SAML, as a Okta administrator, save the content of Identity Provider metadata URL to an XML file. In Files.com, select the option Metadata XML file and select the XML file you created from Okta.
Using Certificate Fingerprint
If you need to use Certificate Fingerprint to connect to Okta via SAML, download the certificate from Okta application dashboard. To get the certificate and issuer URL, go to the application you created in Okta and click on Sign On -> View Setup Instructions. Once the Certificate is downloaded on your local machine, run the following command using terminal to obtain the Certificate's Fingerprint.
openssl x509 -in [your_cert_file] -noout -sha256 -fingerprint
In Files.com, select the Certificate Fingerprint option and paste the fingerprint you obtained from the above command. Also, paste the Issuer URL you copied from Okta. You can use the same URL for SLO endpoint and SSO endpoint also.
Lastly, click the Save button to apply the changes.
The Okta SSO method will now be available when assigning an authentication method for a user in Files.com, and the Sign in with Okta button will be displayed on your site's login page.
It is strongly recommended to keep at least one site administrator with the password option as the authentication method, rather than assigning all to SSO, to prevent being locked out of Files.com in case of IdP or SSO issues.
Okta SSO via OAuth or OpenID Connect
Below are the instructions for adding Files.com as an application in Okta via OAuth or OpenID connect (OIDC). If you plan to use SCIM for user and group provisioning, note that SCIM provisioning is only compatible with SAML-based integration, not with OAuth or OpenID Connect (OIDC).
Adding Files.com in Okta
After logging in to your Okta account as an administrator, navigate to Applications and click the Create App Integration button.
Select OIDC - OpenID Connect as sign-in method, and select Web Application as the Application type, and then click the Next button.
In the form, enter Files.com in the App Integration Name field, and enter the following URL in the Sign-in redirect URIs field. You can use the same URL for Sign-out redirect URIs.
https://app.files.com/login_from_oauth?provider=okta
Select the appropriate option under Controlled access in the Assignments section based on your requirements.
Click the Save button to finish adding the application. In the integration summary page, find the Client Credentials box. Click the clipboard icon next to the Client ID to copy it. Keep this browser tab open, as you'll be returning here to copy the Client Secret later.
Adding Okta in Files.com
A site administrator can add a new SSO Provider to your site. Select Okta provider for the type of provider and select Use OAuth.
You should provide a Display Name for your new provider; this will be shown on the login page of your Files.com site.
Enter your Okta subdomain into the Subdomain field, and paste the Client ID you copied in the previous step into the Client ID field.
Copy your Client secret from Okta, and paste it into the Client secret field in Files.com.
The Okta SSO method will now be available when assigning an authentication method for a user in Files.com, and the Sign in with Okta button will be displayed on your site's login page.
It is strongly recommended to keep at least one site administrator with the password option as the authentication method, rather than assigning all to SSO, to prevent being locked out of Files.com in case of IdP or SSO issues.
Provisioning Users Automatically
There are two ways to automatically provision users via Okta.
SCIM Provisioning
SCIM Provisioning is a standard that allows your Users to be automatically provisioned in Files.com from Okta. Note that SCIM provisioning is only compatible with SAML-based integration, not OAuth or OpenID Connect (OIDC).
First, you'll need to select the "SCIM" provisioning method in Okta at Applications -> Files.com -> App Settings -> Provisioning.
Then use the following settings in Okta at Applications -> Files.com -> Provisioning -> SCIM Connection:
| Field | Value |
|---|---|
| SCIM connector base URL | https://app.files.com/api/scim |
| Unique identifier field for users | |
| Supported provisioning actions | Check all applicable actions |
| Authentication Mode | Basic Auth or HTTP Header |
If Authentication Mode is set to Basic Auth, generate the Basic Auth username and password in Files.com by navigating to the advanced settings in the Add/Edit SSO provider form. Under the Enable automatic user provisioning via SCIM? section, select Basic, then click Generate SCIM Username and Password. Copy both values and enter them in Okta for SCIM provisioning. Note that the credentials will only become active after saving the Add/Edit SSO provider form.
If Authentication Mode is set to HTTP Header, generate the bearer token by selecting Token in the same section, then click Save to generate the token. Copy the token and enter it in Okta for SCIM provisioning setup.
In Okta at Applications -> Files.com -> Provisioning -> To App, ensure that the Create Users, Update User Attributes, and Deactivate Users are in checked state.
After setting the above, your Okta users assigned to the Files.com application in Okta will be provisioned to Files.com and should be able to log in to Files.com via SSO.
Files.com offers numerous configuration options for SCIM provisioning, detailed in the Configuration Options section under our SCIM provisioning documentation.
Just-In-Time (JIT) Provisioning
JIT Provisioning operates by generating user records on Files.com upon their initial successful login. While this method is simpler than SCIM, it does have limitations. For instance, JIT can provision users but lacks the ability to delete or disable them. Files.com will automatically use Just-In-Time (JIT) Provisioning if you don't set up SCIM.