Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
EmpowerID enables a seamless integration between EmpowerID and Okta; with this integration, EmpowerID serves as the IDP for Okta's This article provides a comprehensive guide for configuring EmpowerID to use Okta as an Identity Provider (IdP) through Security Assertion Markup Language (SAML). The configuration enables Single Sign-On (SSO) capabilities, allowing users to access EmpowerID services by authenticating via Okta. In this way, users can access their corporate UltiPro accounts directly from EmpowerID using their EmpowerID credentials, their corporate AD logins, or those of another trusted (third-party) identity provider that has been integrated with EmpowerID.
As a prerequisite to creating an SSO Connection for UltiPro as a service provider in EmpowerID, you must have an Okta account.
A certificate generated from Okta and uploaded into EmpowerID.
integration, EmpowerID acts as the Service Provider (SP), and Okta functions as the IdP.
Expand | ||
---|---|---|
| ||
|
Steps Overview
Configure SAML in Okta
Gather and Verify SAML Attributes
Add Cross-Origin Resource Sharing (CORS) in EmpowerID
Upload Certificate to EmpowerID
Create a SAML Connection in EmpowerID
On the navbar, expand Apps and Authentication and click SSO Connections. Now click on SAML.
You can view all SAML connections and create a new one by clicking the icon.
Image RemovedWhen selecting a SAML connection type, it's important to determine whether the connection will operate as an Identity Provider (IdP) or if it will utilize EID as its IdP. In this article, we'll use the Identity Provider option as our example, as we intend to configure Okta to function as the IdP. Please select the Default SAML IdP connection Settings.
The Service Provider (SP) is an application or service that depends on the EID as an Identity Provider (IdP) to authenticate and provide access to users. It uses specialized software to process SAML requests and responses, which contain SAML assertions from the IdP. This allows the SP to manage user access in an efficient manner.
The Identity Provider (IdP) is responsible for authenticating users and providing access permissions to EmpowerID. It generates SAML assertions for users after authentication, which EID then uses to grant or deny access to their resources.
Image Removed
Please provide the connection details for the SAML connection.
Step 1 – Configure SAML in Okta
Log in to the Okta Admin Dashboard.
Navigate to Applications.
Click "Applications" in the sidebar and select "Applications" from the drop-down menu.
Create App Integration.
Click the "Create App Integration" button.
Image Added
Select Sign-In Method.
Select SAML 2.0 and click Next.
Image Added
Under General Settings, enter an App Name as a minimum and click Next.
Image AddedInput SAML Settings.
Input the following information:
Insert excerpt IL:Set Up Okta as IdP IL:Set Up Okta as IdP name OktaConfig nopanel true
Review Configuration
Click Preview SAML and verify the settings.
Click Next and fill out the Feedback form if desired.
Click Finish.
Step 2 – Gather and Verify SAML Attributes
Retrieve SAML Setup Information.
Navigate to the details of the newly created application in Okta.
Click on the SAML tab and then View SAML Setup Instructions.
Image AddedObtain the following information:
Identity Provider Single Sign-On URL
Identity Provider Issuer URL
Download the signing certificate.
Image Added
Step 3 – Add CORS in EmpowerID
Configure CORS Settings
You need to configure EmpowerID's Cross-Origin Resource Sharing (CORS) settings to allow Okta's URL to interact with EmpowerID. The URL that you need to add is your Okta URL (also called an Okta domain). Please follow the EmpowerID documentation for CORS configuration here: Configure Web Security Settings.
Image Added
Recycle the Environment.
CORS settings are cached; therefore, recycle the EmpowerID environment for changes to take effect.
Step 4 – Upload Certificate to EmpowerID
To configure the authentication request, you must upload the certificate signing certificate that you had previously downloaded from the Okta platform. This certificate will be used as the signing certificate.
Navigate to SSO Components.
From the navigation bar, go to Apps and Authentication > SSO Connections > SSO Components.
Upload Certificate.
Click on the Certificates tab and the icon to upload a new certificate.
Image AddedSelect Upload Certificate, choose the Certificate Owner, and then upload the certificate downloaded from Okta.
Image Added
Click Save.
Step 5 – Create a SAML Connection in EmpowerID
On the navbar, expand Apps and Authentication > SSO Connections and click SAML.
Click the Add New icon.
Image AddedFill in the required fields as outlined in the table below:
Insert excerpt IL:Set Up SSO with Okta as IdP IL:Set Up SSO with Okta as IdP name SAMLConnectionGeneral nopanel true Image Removed
Please provide the URL of your Okta instance that will be used for Image Added
Under Identity Provider URL Details, Enter the Identity Provider Single Sign-On (SSO) authenticationURL from the Okta SAML application integration.
Image RemovedPlease provide Image AddedUnder Logout URL, enter the Logout URL and the Logout SAML HTTP protocol Protocol used.
The Logout URL is the Single Logout (SLO) URL provided by Okta. This URL will handle the logout process, ensuring that the user's session is terminated in both EmpowerID and Okta.
The Logout SAML Protocol is the HTTP method to send SAML requests. To configure Okta in EID, please select the HTTPPost option.
You can Under Account Information, select whether to create a new account, Account Directory or you can to select an existing account directory.
Select the checkbox Create a NewAccount Directory
to create a new account directory.Alternatively, you can choose to select an existing account directory.
Image ModifiedPlease Under Certificates, please provide the necessary information related to the Certificates for the SAML connection.
The Signing Certificate is used by the IdP to digitally sign the SAML assertions and messages it sends to the SP. The SP, when When receiving these messages, the SP can use the IdP's signing certificate to verify the message's integrity and authenticity. It should be the public key.
The SP uses the Verifying Certificateis used by the SP to verify the digital signatures on SAML assertions and messages sent by the IdP sends. The SP uses the verifying certificate to ensure that the trusted IdP genuinely signs the messages it receives are genuinely signed by the trusted IdP and that they haven't been altered or forged.
Click on the Authn Request tab and select Create a New Authentication Request. You have the option to create a new one or use an existing SAML Authentication Request. Enter the required details to create a new
authentication request and click on Save.Insert excerpt IL:Set Up SSO with Okta as IdP IL:Set Up SSO with Okta as IdP name SAMLConnectionGeneralSAMLAuthRequest nopanel true
Configure SAML in Okta
You can create a SAML app directly from the Okta dashboard to integrate Okta with EID. Please follow Okta's relevant documentation to ensure the SAML app is created accurately. However, please ensure you correctly enter all the information below about EmpowerID in the Okta app.Step 6 – Testing the Configuration
Test the configuration by logging in to EmpowerID using Okta credentials.
Div | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
IN THIS ARTICLE
|
Insert excerpt | ||||||
---|---|---|---|---|---|---|
|