Loading...

Using Okta as Your Identity Provider

Okta is a third-party identity provider that can act as the IdP when your users log on to the Web Console or the Admin Console.

To integrate with Okta, add a SAML application in the Admin Console and in your Okta account.

Procedure

  1. In the Admin Console, begin to configure the SAML application:
    1. Open the Add SAML App dialog box, and in the Webconsole url box, copy the URL.

      For example, https://mycompany:443/webconsole

      For information about adding a SAML application in the Admin Console, see Adding Identity Servers.

    2. Keep the Add SAML App dialog box open.
  2. In your Okta account, create a new application using SAML 2.0 as the sign on method:
    1. Follow the wizard for the general settings.
    2. Under Configure SAML > SAML Settings, in the Single sign on URL box and the Audience URI (SP Entity ID) box, paste the URL that you copied from the Admin Console.

    3. From the Name ID format list, select Email Address.
    4. Continue to follow the wizard and accept the default values.
    5. Click Finish.
    6. Open the application, and then click Sign On.

    7. To download the IdP metadata file, under the View Setup Instructions button, click Identity Provider metadata.
    8. Save the IdP metadata file as an XML file.
  3. In the Admin Console, complete the SAML application:
    1. To upload the IdP metadata XML file, in the open Add SAML App dialog box, beside Upload IDP metadata, click Browse.
    2. Select the IdP metadata XML file that you downloaded from Okta.
    3. Complete the application, and then click Save.

      For information about adding a SAML application in the Admin Console, see Adding Identity Servers.

  4. Open the Identity Servers page in the Admin Console, and copy the Single sign-on url.
  5. In your Okta account, under Configure SAML > SAML Settings, in the Single sign on URL box, paste the URL that you copied from the Admin Console.
  6. Optional: To configure single logout in Okta, complete the following steps:
    1. From the generated SP metadata XML, copy the following information:
      • SP EntityId
      • SingleLogoutService location with POST binding
    2. To download the signature certificate, log on to the Admin Console, and then in your web browser, type the SAML App URL in the following format, and then press Enter.

      https://webconsole_hostname/adminconsole/downloadSPCertificate.do?appName=URL encoded SAML app name

      Example: https://company.com/adminconsole/downloadSPCertificate.do?appName=app%20Name

    3. In your Okta account, under General > Advanced Settings, select the Enable Single Logout box.
    4. In the Single Logout URL box, type the SingleLogoutService location that you copied from the SP metadata file.
    5. In the SPIssuer box, type the entityID that you copied from the SP metadata file.
    6. In the Signature Certificate box, upload the certificate that you downloaded from the SAML app URL.
  7. To assign other Okta users access to your Okta account, complete the following steps:
    1. In your Okta account, under Assignments, click Assign, and then select one of the following options:
      • To assign individual Okta users, click Assign to People.
      • To assign a user group, click Assign to Groups.
    2. Select the user or group that you want to assign, and then click Add.
  8. Optional: To assign domain users based on Okta's user groups SAML attribute, complete the following steps:
    1. In your Okta account, under Group Attribute Statements, click Add.
    2. In the Name box, type user_groups.
    3. In the Filter box, assign filters as required. For example, to assign users from a user group name that starts with "domain users", select Starts With, and then type domain users.
    4. Preview the SAML assertion and verify that your Idp response XML includes the user group attribute. For example:

      <saml2:Attribute Name="user_groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue
      xmlns:xs="http://www.w3.org/2001/XMLSchema"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">GroupName Match Starts with "domain users" (ignores case)
      </saml2:AttributeValue>
      </saml2:Attribute>

    5. In the Admin Console, map Okta's user_group SAML attribute with the user group user attribute. For more information on mapping attributes, see Mapping SAML Attributes.

Last modified: 1/8/2019 5:08:36 PM