Okta

Last Updated: April 07, 2026

An identity provider (IdP) uses an authentication token to vouch for a person's identity. Vasion Automate uses IdPs for several tasks, including logging in to the Admin Console and portals, deploying printers, releasing print jobs, and more.

If you use an IdP, the Control Panel Application (CPA) supports only badge and PIN authentication.

Key Points

Review the following key points:

  • These steps follow Okta's classic user interface rather than the Developer Console user interface.
  • Systems for Cross-domain Identity Management (SCIM) configurations generally require Okta Lifecycle Management licensing.
  • Okta might show two PrinterLogic apps. Use the PrinterLogic SaaS (with support for multiple instances) option.

Configure Connection

To add and configure enterprise app properties for the Vasion Print connection, do the following:

  1. Create the Okta App.
  2. Add the IdP Settings Template.
  3. Configure Single Sign-On (SSO).
  4. Add the X-509 Certificate.
  5. Complete IdP Settings.
  6. Configure Provisioning.
  7. Add Vasion Print Admins.

1. Create the Okta App

  1. Log in to your Okta portal.

  2. In the left-side menu, expand Applications and select the Applications option.

    Okta portal showing expanded Applications menu and Applications option.

  3. Select the Browse App Catalog button.
  4. Search for PrinterLogic in the Search field, and select PrinterLogic SaaS (with support for multiple instances).
  5. Select the Add Integration button.
  6. In the Application label field, name your app.
  7. Select your instance region from the Region dropdown menu.
  8. Enter your subdomain in the Subdomain field.
  9. Select Done in the lower-right corner.
  10. Leave the current browser open on the new app screen for the following steps.

Okta portal showing General Settings tab, Region and Subdomain fields, and Done button.

2. Add the IdP Settings Template

If the IdP Settings modal does not look like the image below, you may not be using the latest version and should contact Product Support to upgrade your IdP settings.

  1. Open your Vasion Print Admin Console in a new browser tab, and log in.
  2. Select Tools then Settings then General, and scroll down to the Identity Provider Settings section.
  3. Select IdP, and then select Add.
  4. Select the IdP that you want to configure from the IdP Template dropdown menu.
  5. Select SAML2 in the Authentication Protocol section.

  6. In the Provisioning section, if you are using Systems for Cross-domain Identity Management (SCIM), leave the JIT option deselected.

    By default, the Admin Console assumes that you are using SCIM for provisioning. Only select JIT if you are not using SCIM.

  7. In the Name field, enter the name that you want to appear on the login button for users. For example, My Company, Login, or Acme Corp.
  8. Scroll down, and select the desired settings:
    • Enable for End User Login: Allows end users to log in using this IdP. (Self-service Portal)
    • Enable for Admin Login: Allows admins to log in using this IdP. (Admin Console)
    • You can select both checkboxes when you are using a single IdP or the admin and end users use the same IdP to log in.

Keep the IdP Settings modal open so that the Service Provider Information section at the bottom is available for the following steps.

IdP Settings showing multiple fields and Service Provider Information section.

3. Configure Single Sign-On (SSO)

  1. In the Okta app, select the Sign On tab and then select Edit on the right.
  2. In the Vasion Print Admin Console, copy the Relay State in the Service Provider Information section, and paste it in the Okta Default Relay State field.

  3. In the Okta Metadata details section, select More details to expand.

    Okta Metadata details section showing the Sign on URL.

  4. Copy the Sign on URL and paste it into the Admin Console SSO URL field.
  5. Press Tab in the Admin Console to autopopulate the Issuer URL and Issuer ID fields.
  6. Scroll down to the Okta Advanced Sign-on Settings section.
  7. Copy the Admin Console IdP Identifier, and paste it in the Okta IDP ID field.
  8. Select Save in the Okta app.

Okta app showing "Sign on methods" section and Default Relay State field.

4. Add the X-509 Certificate

  1. Select View SAML setup instructions on the right. A new screen appears with additional information.

    SAML section showing the View SAML Setup Instructions button on the right.

  2. Copy the X-509 Certificate to cut and paste in PEM Text Format.

    Okta app showing View Setup Instructions screen and X-509 certificate.

  3. Paste the X-509 certificate in the Admin Console X-509 Certificate field.
  4. Select Apply.

  5. Select Save.

    The Admin Group Name field stays blank unless you are using an attribute statement for additional security. You can set up an attribute statement after the initial IdP configuration by following the steps in Additional Admin Console Security.

IdP Settings showing X-509 Certificate and other fields configured.

5. Complete IdP Settings

  1. In the General settings of the Vasion Print Admin Console, navigate to the Identity Provider Settings section.

  2. To have Vasion Print prompt users to authenticate through the IdP when performing any function that requires authorization, such as installing a printer, select the Automatically Open Browser to Login on Desktop Client option.

    If you do not select this option, users must manually navigate to the IdP login screen to log in.

  3. We recommend enabling the Use Loopback with Saml 2.0 (recommended) option. The IdP needs to provide an authentication token to the desktop Client whenever authentication happens. This option allows the Client to handle the token and automatically log in without interaction from end users.

    General settings showing Identity Provider Settings section with IdP option and other options selected.

  4. The option Use Domain User (Windows only) automatically authorizes domain-joined Windows users and does not require log in via the configured IdPs.
  5. Select Save in the upper-right corner of the General settings.

6. Configure Provisioning

The provisioning steps vary depending on whether you are using Systems for Cross-domain Identity Management (SCIM) or Just-in-Time (JIT) provisioning. Choose the appropriate option below to view the corresponding steps.

SCIM Provisioning

Enable SCIM Provisioning

  1. In the Okta app, select the Provisioning tab.
  2. Select Configure API Integration.
  3. Select Enable API integration.

Okta app showing Provisioning tab and "Enable API integration" checkbox.

Generate & Apply a SCIM Token

  1. In the Vasion Print General settings, select the SCIM option in the Identity Provider Settings section.
  2. Select your IdP configuration from the dropdown menu.

  3. Select Generate SCIM Token.

    Identity Provider Settings section showing SCIM option with IdP selected from dropdown menu and Generate SCIM Token button to right.

    Generating a SCIM token invalidates any previous tokens for that IdP.

  4. Copy the token, close the modal, and select Save in the upper-right corner of the General settings.
  5. In the Okta app, paste the token in the API Token field in the Provisioning tab.
  6. Select Test API Credentials. A notification appears if the token verified successfully.
  7. Select Save in the Okta app.

Okta app showing Provisioning tab with "Enable API integration" selected, API Token field completed, and Test API Credentials button.

Enable the To App Settings

  1. In the Okta app, select To App from the left-side menu.
  2. Select Edit to the right.
  3. Select the Enable checkboxes for the following.
    1. Create Users.
    2. Update User Attributes.
    3. Deactivate Users.
  4. Select Save in the lower-right corner.

Okta app showing "Provisioning to App" section and Create Users, Update User Attributes, and Deactive Users checkboxes.

Assign Users & Groups

Note that Okta does not support assigning the same groups on the Assignments and Push Groups tabs. For example, if you assign Group A on the Assignments tab, you should not assign Group A on the Push Group tab.

A best practice is to create an Okta group that includes all users who need access to the Vasion Print app, which should consist of admin users who require access to the Admin Console and end users who only need access to the Self-service Portal. Assign this group on the Assignments tab in Okta, which provisions all the necessary user records into the instance without any group membership data. You can then assign your role-specific groups, such as Admin, Help Desk, etc., on the Push Group tab, which provisions the group membership data needed for Role-Based Access Control (RBAC), portal security, and deployment rules.

For more details refer to the official Okta documentation on the Push Group tab.

Assignments Tab: Assign Users & Groups

Follow these steps:

  1. In Okta, select the Assignments tab.

  2. Select the Assign menu.

    Okta Admin Console showing expanded Assign menu and "Assign to People" and "Assign to Groups" options.

  3. To grant access to individual users, select Assign to People. To grant access to groups, select Assign to Groups.
  4. Search for the desired users or groups, and select Assign.
  5. Scroll down to the bottom, and select Save and Go Back.
  6. Select Done.
  7. Repeat these steps for any additional users or groups.

Okta Admin Console showing modal, search results, and Assign and Done buttons.

Push Groups Tab: Assign Groups

If you need to provision group membership information into Vasion Print, do the following:

  1. In Okta, select the Push Groups tab.
  2. Select the + Push Group menu.

  3. Select Find groups by name.

    Okta Admin Console showing expanded + Push Groups menu.

  4. Search for and select the desired groups.

    Ensure that the groups you select on this tab are not the same groups that you assigned on the Assignments tab.

  5. In the Match result & push action column, confirm that + Create Group is selected.

    Okta Admin Console showing Push Groups tab with selected group and + Create Group option.

  6. Select Save.
  7. In the Push Status column, confirm that the status changes from Pushing to Active.

Okta Admin Console showing Push Groups tab. Pushed group has Active status in Push Status column.

JIT Provisioning

Assign Users

JIT does not support the provisioning of group membership associations, so you cannot apply Role-Based Access Control (RBAC) roles, printer deployments, or portal security roles to groups. You must create assignments individually for each user.

  1. In the Okta app, select the Assignments tab.

  2. Select the Assign dropdown menu.

    Okta app showing Assignments tab, expanded Assign menu, and "Assign to People" option.

  3. Select Assign to People to assign individual users.
  4. Search for the desired users, and select Assign.
  5. Select Done.
  6. Repeat these steps for any additional users.

Okta app showing "Assign to People" modal and Assign and Done buttons.

Create Users

When using JIT provisioning, the app creates users during the first login attempt:

  1. Access your Vasion instance, and select Sign In With <IdP Name>.
  2. Attempt to log in with your IdP credentials.

  3. This login attempt fails and returns you to the login screen.

    This behavior is expected. With JIT, this action triggers user creation in the Vasion instance.

  4. The second login attempt with valid credentials initiates a typical login sequence.

For admins who need access to the Admin Console, you still need to add them to the Users page located in Tools then Users.

7. Add Vasion Print Admins

For steps on assigning users and roles to the Vasion Print and Vasion Automate Admin Console, refer to Admin Console Users.