Applies to: Okta
Summary
Hanwha Vision Cloud offers Okta SSO (Single Sign-On) integration to enhance security and simplify user management. This article outlines integration options, core policies, and key system changes after implementation.
Integration Options
Administrators can choose between two options based on their organization’s management needs.
| Category | Option 1: Auth (SSO) only | Option 2: Auth & Provisioning |
| Core Function | Login (SSO) integration only. | Login + Automatic account synchronization. |
| How it Works | Authentication via Okta; admins manually add or convert users in Cloud Portal. | Accounts are automatically created/deleted via SCIM when assigned in the Okta App. |
| Source of Truth | Cloud Portal (Admins can edit names and phone numbers in Cloud Portal). | Okta (User info is Read-only in Cloud Portal; it must be edited in Okta). |
| Best For | Organizations using SSO for only a specific group of users. | Organizations requiring centralized IT management and automated onboarding. |
Core Integration Policies
- Single IdP Policy: An organization (ORG) can connect to only one external Identity Provider (IdP). If LDAP is currently active, it must be disconnected before you can configure Okta.
- Exclusion Policy (Protected Accounts): For security and management continuity, certain accounts cannot be converted to Okta accounts:
Super Admins (CSA/PSA): To prevent lockouts if the Okta integration is disconnected, Super Admins must always remain as Hanwha Vision accounts.
Installers (Role vs. Account Type):
In Customer ORGs: A user holding the Installer role within a Customer ORG cannot be converted to or created as an Okta account within that specific Customer ORG.
In Partner ORGs: A technician can be converted to an Okta account within their own Partner ORG. These Okta-managed technicians can then be assigned as an Installer to various Customer ORGs and perform their duties normally.
- Account Coexistence Across Organizations: Since Okta integration is configured at the ORG level, a single email address can hold different account types across different ORGs:
Within an Okta-integrated ORG: You must use your Okta account. If you previously had a Hanwha Vision account in this specific ORG, it will be replaced by the Okta account.
In Other ORGs (Not integrated with Okta): You can continue to use your Hanwha Vision account with your existing password. Your access to these organizations remains unchanged even if you switch to Okta for another organization.
- Multi-ORG Limitation (Okta-only): An Okta account itself cannot belong to multiple Customer ORGs. It is strictly tied to the organization where the integration is active. (Exception: Partner technicians can access multiple Customer ORGs via the Installer role).
Key Changes After Integration
- Unified Login Experience: When a user enters their email on the login page, the system automatically detects the account type. Okta-managed users are redirected to the Okta sign-in page immediately, while others proceed with their Hanwha Vision account password.
- 2FA Policy: Two-factor authentication (2FA) requirements for Okta accounts are determined strictly by your Okta tenant settings. Organization-level 2FA settings in Cloud Portal will not apply to Okta-managed users.
- User Identification: An SSO banner will be displayed in user lists and profile pop-ups to distinguish them from Hanwha Vision account users.
- Management Restrictions: For Okta accounts, Cloud Portal administrators cannot use the Reset Password, Resend Invitation, or Unlock User features, as these credentials are managed through the Okta console.
Comments
0 comments
Please sign in to leave a comment.