29.1 Single Sign-On with Okta
Before starting working on Okta, let us see how to configure it on your system and then get ready to work on it with OpKey.
Configuring Okta on your system
- Set up a connection app for OpKey SSO.
- Open Okta Login page on browser & sign into Okta as an administrator.
- Go to Admin Dashboard > Applications > Add Application.
- Click Create New App and choose SAML 2.0 as the Sign on method.
- Click Create to proceed the Okta configuration.
- Enter General Settings for the application, including App name and App logo (optional). It is recommended to display the application icon to users.
- Click Next to continue.
- Enter SAML Settings, including:
- Single sign on URL: https://<your-OpKey-url>/Auth/ReadSAML where <your-OpKey-url> is your OpKey portal URL.
- Audience URL: For instance, https://www.myopkey.com/saml2/service-provider/sprupzqzwxupngxvqfdf
- Name ID format: EmailAddress
- Application username: Okta username
- Enter attribute statements and group attribute statements, which will be used to map attributes between Okta and OpKey.
- Attribute Statements:
- Name: Email, Name Format: Basic, Value: user.email
- Name: FirstName, Name Format: Basic, Value: user.firstName
- Name: LastName, Name Format: Basic, Value: user.lastName
- Attribute Statements:
- Group Attribute Statements:
- Name: Groups, Name Format: Unspecified, Filter (Matches Regex): .*
- Click Next. Then, set Okta support parameters for the application. Recommended settings:
- I’m an Okta customer adding an internal app
- This is an internal app that we have created
- Click Finish.
- On the next screen, click the Sign On tab and click View Setup Instructions.
- Take note of Identity Provider Single Sign-On URL (also known as Single Sign-On service URL), and the Identity Provider Issuer, as both will be needed to configure SAML for OpKey. Furthermore, you copy the X.509 Public Certificate file. You will need to upload it to OpKey in a later step.
What is Client URL & SSO Provider URL?
Client URL is the part of SSO Provider URL. For example: SSO Provider URL is https://dev-123456.oktapreview.com/app/xyzdev12345_mytest_1/exkit6nvncnf6ON3B0h7/sso/saml whereas Client URL is https://dev-123456.oktapreview.com/.
Follow below steps to get Client URL & SSO Provider URL:
- Login to the Okta Developer page with your valid credentials.
- Go to the API page under Security menu. Select Tokens tab & then click on Create Tokens.
- Create Token page opens. Type name of the token & click on Create Token button.
- You can view that the Token value has been generated. Click on Copy to clipboard button to copy it & then use accordingly.
Configure SAML sign-in for OpKey
- Login to your OpKey portal using an admin user and navigate to the OpKey admin panel. Go to Single Sign-On > Click Add > and enter the following fields:
- Identity Provider: Select “OKTA” from drop-down.
- IdP Entity ID: Identity Provider Issuer from Okta, specified earlier.
- Single Sign-On Service: Identity Provider Single Sign-On URL from Okta, specified earlier.
- IdP Certificate: X.509 Public Certificate file you copied from Okta earlier.
Getting started with SSO feature in OpKey
- Login to OpKey Web using valid credentials.
- Navigate to the Admin Console & select Single Sign-On tab. Configure Single-On page opens.
- From Single Sign-On page, you need to add and configure Identity Provider.
- Click on Add button to add an Identity Provider.
- Select Identity Provider (as Okta from the list) & enter IdP Issuer, Display Name, IdP Single Sign-On URL, and API Key and then click on Add. You can check Verify Signature checkbox, if required.
- Identity Provider: Select “OKTA” from drop-down.
- IdP Entity ID: Identity Provider Issuer from Okta, specified earlier.
- Single Sign-On Service: Identity Provider Single Sign-On URL from Okta, specified earlier.
- API Key: This Key identifies groups available in the configured Identity provider which will be displayed as suggestions while adding groups in the Group Management.
- Once the Identity Provider (Okta) has been added successfully, you can view here.
- Further, you can modify and delete it, as required.
- Click on Modify Single Sign-On button to modify it. Fill all required fields (Identity Provider, IdP Issuer, Display Name, IdP Single Sign-On URL, Certificate to Validate Signature and API Key) and click on Modify.
- Once the settings are saved, another option “Allow OpKey Login To” gets enabled which will allow admin to enforce a login type for their users by choosing either of the 3 options as “OpKey Users Only”, “Single Sign-On, “Both OpKey and SSO Users”. So, according to the option selected, OpKey will allow user to login. In case, user has configured the SSO service, then it is a good option to select the third option i.e. “Both OpKey and SSO Users”.
- Further, you need to create Group(s) on Okta & add people to the Group(s) from Group Management as described below:
Group Management
Group Management under Admin Console of OpKey allows you to manage groups of users. Here you can view the list of existing Groups along with details alike Service Provider, Name, Projects, OpKey Admin privileges & Actions. You can edit & delete existing groups as per requirement but you should have Admin privileges to do that.
- Navigate to the Group Management tab under the Admin Console in OpKey.
- Click on Add Group button. Add Groups page opens.
- Select & fill all required fields & click on Add to create a new Group. You can mark OpKey Admin checkbox to provide Admin privileges to the Group.
- Here, you can view that a new Group has been created successfully. People belonging to this Group can now work the assigned OpKey project(s) while logging through Okta SSO.
- Now, people belonging to the added Group(s) can login to OpKey Web using Okta SSO feature.
- Open your OpKey Web login page & click on Login with Okta link.
- Enter your valid Username & Password corresponding to Okta SSO & click on Sign In button.
- Select your assigned OpKey project & start working.