You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.
Skip to end of banner
Go to start of banner

Set Up Okta as IdP

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 40 Next »

EmpowerID provides integration with Okta to serve as the Identity Provider (IDP) for EmpowerID, enabling a seamless integration. With this integration, users can access the EmpowerID by authenticating the credentials from Okta SSO. In order to allow for Single Sign-On (SSO), you'll need to establish a SAML connection within your EID system and then configure the SAML settings in Okta. Please follow the instructions below to set Okta as an IdP.

In this setup, EID functions as a Service Provider (SP) and Okta as the Identity Provider (IdP). The instructions and URL reflect an SP-initiated SSO, meaning that users begin the login process at EID, redirecting them to Okta for authentication.

Step 1: Configure SAML in Okta

  1. Log in to your Okta Admin Dashboard.

  2. Click "Applications" in the sidebar and select "Applications" from the drop-down menu.

  3. To add a new application, begin by clicking on the "Create App Integration" button.

  4. Select SAML 2.0 as the Sign-in method for the application and click Next.

  5. Please enter the necessary general information for the integration and click the Next button to proceed.

  6. Provide the necessary SAML settings information for your integration.

    Input Fields

    Description

    Single Sign-On URL (SSO URL)

    Please provide the SAML endpoint URL in EID for SAML assertion that accepts HTTP POST. Input https://{yourempoweridurl}/WebIdPForms/Generic/AuthenticationResponse as the URL. Replace 'yourempoweridurl' with your organization URL used to access EmpowerID, such as sso.empoweriam.com.

    Recipient URL

    Provide the URL or endpoint where the Okta sends a SAML assertion to the EID during the Single Sign-On process. This URL will be the same as the SSO URL provided earlier; input https://{yourempoweridurl}/WebIdPForms/Generic/AuthenticationResponse as the URL. Replace 'yourempoweridurl' with your organization URL used to access EmpowerID, such as sso.empoweriam.com.

    Destination URL

    The destination URL specifies the destination within the SAML assertion where the SAML response is meant to be delivered from Okta. This URL will be the same as the SSO URL provided earlier; input https://{yourempoweridurl}/WebIdPForms/Generic/AuthenticationResponse as the URL. Please replace 'yourempoweridurl' with the URL used to access EmpowerID, such as sso.empoweriam.com.

    Audience URI (SP Entity ID)

    Provide the specific identifier that serves as the intended recipient of a SAML assertion or response; please input EmpowerID. This should be the same when we specify the SP Name Qualifier later while configuring the SAML connection in EmpowerID.

    Name ID format

    Leave Unspecified for the Name ID Format.

    Application User Name

    You must provide their identifier or username to identify a user within a specific application or service. In the case of EmpowerID, you should select the AD SAM account name. To make this possible, you must create the attribute mapping for the AD SAM account name in your Active Directory in Okta. Once you have done that, you can choose the field here.


  7. Scroll down to the bottom of the page and click Preview SAML to verify its accuracy. Then, click Next to proceed to the Feedback tab.


  8. Please provide additional information on the Feedback page and click Finish to save the integration application.

You have completed adding an EID integration as an application in Okta. Now, we can gather the necessary certificates and information from Okta.

Step 2: Gather and Verify SAML Attributes

Before setting up Okta in EmpowerID, we need SAML setup information and a certificate from Okta for later use in EID. Please follow the instructions below to obtain the necessary.

  1. Log in to your Okta Admin Dashboard.

  2. In the sidebar, click on Applications and then select Applications from the drop-down menu.

  3. Click the link with your Application Name to view details of your previously created application.

  4. After clicking the link, you will be redirected to the detail page, where you can view its details. On the detail page, click on the SAML tab. In this tab, you will find the View SAML Setup Instructions button. Click on it to proceed.

  5. From the Preview window, you can access the required information and certificate.

    • Obtain the Identity Provider Single Sign-On URL, which we will configure later on the EID side for your integration.

    • Obtain the Identity Provider Issuer URL.

    • Click on Download Certificate from the page, and the downloaded certificate will be used as a Signing Certificate, which will later be uploaded in step #4.

You have received all the information from Okta to configure SAML in EID. The next step is to configure the SAMl connection in EID.

Step 3: Add CORS in EID

You need to configure EmpowerID's Cross-Origin Resource Sharing (CORS) settings to allow Okta's URL to interact with EmpowerID. The URL that you need to add is your Okta URL (also called an Okta domain). Please follow the instructions here in the docs Configure Web Security Settings to add a CORS URL.

CORS entries in EmpowerID are cached for performance, which means that you will need to recycle the environment for the new CORS URL to work.

Step 4: Upload Certificate to EID

To configure the authentication request, you must upload the certificate signing certificate that you had previously downloaded from the Okta platform. This certificate will be used as the signing certificate. Please follow the instructions below to upload the certificate in EID.

  1. On the navbar, expand Apps and Authentication and click SSO Connections. Now click on SSO Components.

  2. Click on the Certificates tab and the (plus) icon to upload a new certificate.

  3. Select Upload Certificate, choose the Certificate Owner, and then upload the certificate file you downloaded from Okta.

  4. Click on Save to upload the certificate.

Step 5: Create a SAML Connection in EID

  1. On the navbar, expand Apps and Authentication and click SSO Connections. Now click on SAML.

  2. You can view all SAML connections and create a new one by clicking the (plus) icon.

  3. When selecting a SAML connection type, it's important to determine whether the connection will operate as an Identity Provider (IdP) or if it will utilize EID as its IdP. In this article, we'll use the Identity Provider option as our example, as we intend to configure Okta to function as the IdP. Please select the Default SAML IdP connection Settings.

    • The Service Provider (SP) is an application or service that depends on the EID as an Identity Provider to authenticate and provide access to users. This integration allows the SP to manage user access efficiently using EID.

    • The Identity Provider (IdP) is responsible for authenticating users and providing access permissions for the EmpowerID application. It generates SAML assertions for users after authentication, which EID then uses to grant or deny access to their resources.

  4. Please provide the connection details for the SAML connection.

    Input Fields

    Description

    Name

    Provide a unique and descriptive identifier for the connection.

    Display Name

    Please provide a clear and easy-to-understand label that will appear in the application's user interface to represent the connection.

    Name Identifier Format

    Please select the format and structure of the unique identifier for the SAML assertion subject. This identifier represents the user or entity to which the SAML assertion refers. For Okta integration, select Unspecified.

    SAML Submission Method

    Please choose the appropriate HTTP method to send SAML requests. Select HTTPPost for Okta integration.

    Level of Assurance

    If you use multifactor authentication and want to adjust the default Level of Assurance points for the connection, enter a new value in the Level of Assurance (LoA) field. For example, if the level of assurance (LOA) is set to two, the user will be required to complete at least two multifactor authentications.

    Issuer

    The issuer URL, or Issuer Endpoint, is a specific web address or URL provided by the Identity Provider for SAML. Please Enter the Identity Provider Issuer URL from the application you configured in the Okta Platform.

    Initiating URL

    The URL that initiates the SMAL request from EmpowerID. The default value is "/WebIdPForms/Generic/AuthenticationRequest."

    Tile Image URL

    Please provide a URL for the image to serve as the icon representing the Single Sign-On (SSO) connection on the login screen.

  5. Please provide the Identity Provider Single Sign-On URL from the Okta SAML application integration.

  6. Please provide the Logout URL and the Logout SAML HTTP protocol used.

    • The Logout URL is the Single Logout (SLO) URL provided by Okta. This URL will handle the logout process, ensuring the user's session is terminated in both EmpowerID and Okta.

    • The Logout SAML Protocol is the HTTP method to send SAML requests. To configure Okta in EID, please select the HTTPPost option.

  7. You can create a new account, Directory or you can select an existing account directory.

    • Select the Create a New Account Directory checkbox to create a new account directory.

    • Alternatively, you can choose to select an existing account directory.

  8. Please provide the necessary information related to the Certificates for the SAML connection.

    • The Signing Certificate is used by the IdP to digitally sign the SAML assertions and messages it sends to the SP. When receiving these messages, the SP can use the IdP's signing certificate to verify the message's integrity and authenticity. It should be the public key.

    • The SP uses the Verifying Certificate to verify the digital signatures on SAML assertions and messages the IdP sends. The SP uses the verifying certificate to ensure that the trusted IdP genuinely signs the messages it receives and that they haven't been altered or forged.

  9. Click on the Authn Request tab and select Create a New Authentication Request. You have the option to create a new one or use an existing SAML Authentication Request. Enter the required details to create a new authentication request and click on Save.

    Input Fields

    Description

    SP Name Qualifier

    A unique identifier associated with EmpowerID, input EmpowerID. This should be the same to what we specified in the Audience URI while configuring the SAML application in Okta.

    Assertion Consumer URL

    This URL is the endpoint where SAML assertions are sent from successful authentication and authorization by OKTA or the SP to EID or the IdP. Use https://{yourempoweridurl}/WebIdPForms/Generic/AuthenticationResponse as the URL. Replace 'yourempoweridurl' with the URL used to access EmpowerID, such as sso.empoweriam.com.

    Submission Method

    Please choose the appropriate HTTP method to send SAML requests. Select HTTPPost for Okta configuration.

    Issuer Name

    Identifier that specifies the entity that issued a SAML assertion or message. Please enter the https://{yourempoweridurl}/ that you use to access EmpowerID. Please replace 'yourempoweridurl' with the URL used to access EmpowerID, such as sso.empoweriam.com.

    Signing Certificate

    The signing certificate contains a public key used to sign the SAML assertion digitally. Please choose the EID Federation Certificate as the signing certificate.

    Verifying Certificate

    A verifying Certificate is used by the receiving party to verify the digital signature on a SAML message. Please choose the Signing Certificate you obtained from Okta app Integration and upload it to EID earlier in step #4.

You have successfully configured SSO, where users start the login process at EID and are then redirected to Okta for authentication. Please test by logging in to EID with your Okta credentials.


  • No labels