Loading...

Using Okta as Your Identity Provider

Okta is a third-party identity provider (IdP) that can act as the IdP when your users log on to Commvault. Commvault is the service provider (SP).

To integrate with Okta, add a SAML application in your Okta account and in Command Center. Metadata from the Okta application (IdP) is shared with the Command Center application (SP) during this process.

Step 1: Creating an Application in Okta

  1. Log on to your Okta account.

    You will create a new application using SAML 2.0 as the sign on method.

  2. Follow the wizard for the general settings.
  3. Under Configure SAML > SAML Settings, in the Single sign on URL box and the Audience URI (SP Entity ID) box, enter the URL for the Web Console using the following format: https://mycompany:443/webconsole.

  4. From the Name ID format list, select Email Address.
  5. Continue to follow the wizard and accept the default values.
  6. Click Finish.
  7. Open the application, and then click Sign On.

  8. Under the View Setup Instructions button, click Identity Provider metadata, and then save the IdP metadata file as an XML file.

    The identity provider metadata file that you save is the IdP metadata file that you will upload to Commvault.

  9. Keep your Okta account open.

    The value in the Single sign on URL box in Okta must be updated after a new URL is created in Commvault.

Step 2: Adding a SAML Application in Commvault

  1. In the upper-right corner of the page, click Add.

    The Add domain dialog box appears.

  2. Click SAML.
  3. In the Domain name box, enter a domain name to which you want users to associate with.

    Note: SAML application is created using the domain name.

  4. In the SMTP address box, enter the SMTP address of the users.

    For example, if the username is jdoe@gmail.com, enter gmail.com as the SMTP address.

    Note:

    • You can enter multiple SMTP addresses separated by a comma.
    • Only users with specified SMTP addresses will be able to log in using this app.
  5. Upload the IdP metadata:
    1. Next to the Upload IDP metadata box, click Browse.
    2. Browse to the location of the XML file that contains the IdP metadata, select the file, and then click Open.
  6. Review the value in the Webconsole url box.

    This value is automatically generated and is used in the SP metadata file. The format of the value is https://mycompany:443/webconsole.

  7. To digitally sign the SAML message, move the Auto generate key for digital signing of SAML messages toggle key to the right.
  8. Click Save.

    The Identity servers page appears.

  9. In the Name column, click the identity server.

    The identity server properties page appears.

  10. In the General section, copy the value in the Single sign on url box.

    This value must be updated in Okta.

Step 3: Update the Single Sign-on URL in Okta

  • In your Okta account, under Configure SAML > SAML Settings, in the Single sign on URL box, paste the URL that you copied from Command Center.

    This is the value from the Single sign on url box.

Step 4: Optional Okta Configurations

  1. To configure single logout in Okta, complete the following steps:
    1. From the generated SP metadata XML file, copy the following information:
      • SP EntityId
      • SingleLogoutService location with POST binding
    2. To download the signature certificate, log on to Command Center, and then in your web browser, type the SAML App URL in the following format:

      https://webconsole_hostname/adminconsole/downloadSPCertificate.do?appName=URL encoded SAML app name

      Example: https://company.com/adminconsole/downloadSPCertificate.do?appName=app%20Name

    3. Press Enter.
    4. In your Okta account, under General > Advanced Settings, select the Enable Single Logout box.
    5. In the Single Logout URL box, type the SingleLogoutService location that you copied from the SP metadata XML file.
    6. In the SPIssuer box, type the entityID that you copied from the SP metadata XML file.
    7. In the Signature Certificate box, upload the certificate that you downloaded from the SAML app URL.
  2. To assign other Okta users access to your Okta account, complete the following steps:
    1. In your Okta account, under Assignments, click Assign, and then select one of the following options:
      • To assign individual Okta users, click Assign to People.
      • To assign a user group, click Assign to Groups.
    2. Select the user or group that you want to assign, and then click Add.
  3. To assign domain users based on Okta's user groups SAML attribute, complete the following steps:
    1. In your Okta account, under Group Attribute Statements, click Add.
    2. In the Name box, type user_groups.
    3. In the Filter box, assign filters as required.

      For example, to assign users from a user group name that starts with "domain users", select Starts With, and then type domain users.

    4. Preview the SAML assertion and verify that your IdP response XML includes the user group attribute. For example:

      <saml2:Attribute Name="user_groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue
      xmlns:xs="http://www.w3.org/2001/XMLSchema"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">GroupName Match Starts with "domain users" (ignores case)
      </saml2:AttributeValue>
      </saml2:Attribute>

    5. In Command Center, map Okta's user_group SAML attribute with the user group user attribute.

      For more information on mapping attributes, see Mapping SAML Attributes.

Last modified: 4/15/2020 7:32:36 PM