Skip to main content
  1. Ramp
  2. Guides by topic
  3. User management

Okta Setup for SAML 2.0 SSO and SCIM Provisioning

Contents

Overview

Install the Ramp Application in Okta

SAML 2.0 for SSO

SCIM Integration

Overview

This article covers how to use Okta for Single Sign On (SSO) and System for Cross-domain Identity Management (SCIM) for your Ramp account. 

SSO will allow your employees to access Ramp through Okta seamlessly and securely. SCIM will allow you to manage your Ramp users from the Okta platform. With SCIM you can invite users, update profile attributes, and terminate users automatically via Okta. For more information on how automated provisioning works on Ramp, please see our article. [article on expected product behavior]

Install the Ramp Application in Okta

In order to set up SAML authentication, you must first set up the Ramp application in Okta. 

  1. In a new browser tab, log in to your Okta tenant
  2. Navigate to Applications > Applications
  3. Click Browse App Catalog, search for Ramp, and click on the Ramp Application to view
  4. Click Add Integration
  5. Under General Settings:
    1. Enter the Application Label; You can change the application label but we recommend using “Ramp.” This is the app name that your employees will see when accessing Ramp via Okta. 

Since Ramp does not support IdP-initiated logins, you should check the box: Do not display application icon to users

Set Up Okta SSO on Ramp

Supported SAML Features

The Okta/Ramp SAML integration currently supports the following features:

    • SP-initiated SSO
    • JIT (Just In Time) Provisioning

Configuration Steps

  1. In a new browser tab, log in to your Okta tenant
  2. Navigate to Applications > Applications
  3. Open the Ramp application in Okta
  4. Switch to the Sign On tab
  5. Copy the "Metadata URL"                 
  6. In a new browser tab, login to Ramp
  7. Navigate to: Settings > Company Settings
  8. From the Company Profile tab, scroll down to the Account Access section
  9. Click on Enable Okta Single Sign-On
  10. Paste the metadata URL (copied in Step 5) into the text field as instructed:
  11. OPTIONAL - If you want to create a bookmark app, you can follow these instructions from Okta and you can get your bookmark URL from your company settings page in Ramp

Note

Ensure that you entered the correct value in the "Subdomain" field under the General tab. The wrong subdomain value prevents you from authenticating through SAML to Ramp.

Since only SP-initiated flow is supported, Okta recommends hiding the application icon for users.

The following SAML attributes are supported:

Name Value
email user.email
firstName user.firstName
lastName user.lastName

 

SP-initiated SSO

  1. Go to: https://ramp.com/sign-in

  2. Click Sign in with Okta.

  3. Enter your email, then click Continue to Okta.

Setting Up SCIM for User Provisioning

(Coming Soon!)

  1. In a new browser tab, log in to your Okta tenant
  2. Navigate to Applications > Applications
  3. Open the Ramp application
  4. Switch to the Provisioning tab

  5. Click Configure API Integration
  6. Check the Enable API Integration box
  7. Enter your Ramp API token and integration ID and click Test API Credentials. (These can be found on your Ramp account where you create the SCIM integration: Settings > Integrations > SCIM)
  8. After configuring your credentials, the "To App" and "To Okta" options will appear in the left side menu. Click on: To App to configure the activity from Okta to Ramp. (You will not need to configure the To Okta activity as this is a one-way integration)
    1. Ensure that the following are checked and enabled:
      1. Create Users
      2. Update User Attributes 
      3. Deactivate Users
    2. Do not enable "Sync Password"
    3. Ensure all the required attribute mappings are present and accurate. 
      1. The fields in the “Attribute Name” column are the SCIM fields that get sent to Ramp. These cannot be changed. 
      2. The fields in the “Value” column are the user profile fields from Okta that you want to use for the attribute. 
      3. The “Value” fields used below are examples only. You may map them to any user profile field you want. 
        Attribute Name Value Apply On Notes
        userName     This attribute cannot be configured
        givenName user.firstName Create and Update  
        familyName user.lastName Create and Update  
        email user.email Create and Update  
        emailType (user.email != null && user.email != '') ? 'work' : '' Create and Update Ramp will only accept emails that Okta indicates are their primary email or “work” email
        locality user.city Create and Update This value will be used to set the user’s location in Ramp. If the location does not exist in Ramp yet, it will be automatically created.

        If Ramp receives a request to create or update a user with no locality set, it will be rejected.
        department user.department Create and Update This value will be used to set the user’s department in Ramp. If the department does not exist in Ramp yet, it will be automatically created.

        If Ramp receives a request to create or update a user with no department set, it will be rejected.
        managerValue user.managerId Create and Update This should be the user's manager's email address. If the user's manager does not have a Ramp account, the user will not have a manager in Ramp. The manager must exist on Ramp (or already be invited) in order to be assigned as the manager. 

         

        Attribute <> Ramp User Profile Mapping

        Attribute Name Ramp User Profile Required?
        userName Not shown on the Ramp user profile. We use this as a unique identifier on the back end. Yes
        givenName First Name Yes
        familyName Last Name Yes
        email Email address Yes
        emailType Not used on the Ramp user profile. This is required to validate that the email address is the user’s work email Yes
        locality Location Yes
        department Department Yes
        managerValue Manager No