Okta configuration as IdP for SAML
Okta is an Identity Provider (IdP) used by many Service providers. The setup and configuration are pretty much straight forward and easy. Accounts should be created first with Okta.
Back at Document360 projects, only the account owner or an administrator could get the Enterprise SSO setup configured.
Have the Document360 Enterprise SSO page open in a different tab. It would come in handy when you have to retrieve certain field values from the page during the setup.
- Sign up onto the Okta at https://developer.okta.com/signup/ the Okta developer console
- Post sign-up you would receive a mail with your login credentials and account activation link on the Email provided during sign-up
- Click on the activation link and you would be redirected to your Okta Domain login page
- Login with your credentials
- On successful login, the Dashboard would be displayed on the Okta developer console domain.
Adding an application
To configure an application to Okta, the user must create a new application.
The default dashboard would be as a Developer console. It has to be changed to Classic UI
On the top left corner of the page, you’d find a dropdown to toggle between the dashboards
To create a new application, go to Applications menu and click on Applications in the drop-down.
Now click on the Add application button on the window
On the Add Application page click on the Create New App button
In the overlay Create a New Application Integration window select the platform as Web from the dropdown
Now in the Sign on method select SAML 2.0 and click on the Create button
Creating a SAML integration
Now in Okta the users would land on the Create SAML Integration page
- On the General Settings page, enter the name of your new application in the App name field
- Browse and upload a Logo for you application in the Add Logo field if required, as it’s not mandatory
- In the App visibility you can choose either or both the options depending on your requirement.
- Click on the Next button
- In the SAML Settings page the user has to fill in the parameters provider by Document360
- Head back to the Document360 Enterprise SSO page and SAML tab in it
- The Callback path provided should be entered in the Single sign on URL field on the Okta SAML settings page
- Similarly the Service Provider Entity Id should be entered in the Audience URI (SP Entity ID) field on the Okta SAML settings page
Next field Default RelayState identifies a specific application resource in an IDP initiated SSO. This field can be left blank
For the Name ID Format field select EmailAddress from the drop-down
The Application username by default would be as Okta username. Change it to Email from the drop-down
The Attribute Statements field is when you create a new SAML integration, or modify an existing integration, you can define custom attribute statements
These statements are inserted into the SAML assertions shared with your app.
Add urn:oasis:names:tc:SAML:2.0:nameid in name, URI Reference as Name format, and user.email as value
Click the Add Another button and add
- name in the Name field, Unspecified in the Name format, and user.email as value
- email in the Name field, Unspecified in the Name format, and user.email as value
The Group Attribute Statements field is in case you use groups to categorize users, you can add group attribute statements to the SAML assertion shared with your app. However this optional.
Now click on the Next button at the end of the page
In the Are you a customer or partner? Select the relevant option. (If you're unsure about this you can select the "I'm an Okta customer adding an internal app" and you can skip filling out the fields)
Click on Finish
You’ve created an application on the Okta platform which can be configured with the Service provider