Set Up Okta as an Identity Provider

This article provides a comprehensive guide for configuring EmpowerID to use Okta as an Identity Provider (IdP) through Security Assertion Markup Language (SAML). The configuration enables Single Sign-On (SSO) capabilities, allowing users to access EmpowerID services by authenticating via Okta. In this integration, EmpowerID acts as the Service Provider (SP), and Okta functions as the IdP.

Steps Overview

1. Configure SAML in Okta

2. Gather and Verify SAML Attributes

3. Add Cross-Origin Resource Sharing (CORS) in EmpowerID

4. Upload Certificate to EmpowerID

5. Create a SAML Connection in EmpowerID

Step 1 – Configure SAML in Okta

1. Log in to the Okta Admin Dashboard.

2. Navigate to Applications.

   • Click "Applications" in the sidebar and select "Applications" from the drop-down menu.

3. Create App Integration.

   • Click the "Create App Integration" button.
     
     

     Open

     

      

4. Select Sign-In Method.

   • Select SAML 2.0 and click Next.
     
     

     Open

     

      

5. Under General Settings, enter an App Name as a minimum and click Next.
   
   

    

6. Input SAML Settings.

   • Input the following information:
     

7. Review Configuration

   • Click Preview SAML and verify the settings.

   • Click Next and fill out the Feedback form if desired.

   • Click Finish.
     
     

    

Step 2 – Gather and Verify SAML Attributes

1. Retrieve SAML Setup Information.

   1. Navigate to the details of the newly created application in Okta.

   2. Click on the SAML tab and then View SAML Setup Instructions.
      
      

       

   3. Obtain the following information:

      • Identity Provider Single Sign-On URL

      • Identity Provider Issuer URL

   4. Download the signing certificate.
      
      

Step 3 – Add CORS in EmpowerID

1. Configure CORS Settings

   • You need to configure EmpowerID's Cross-Origin Resource Sharing (CORS) settings to allow Okta's URL to interact with EmpowerID. The URL that you need to add is your Okta URL (also called an Okta domain). Please follow the EmpowerID documentation for CORS configuration here: Configure Web Security Settings.
     
     

      

2. Recycle the Environment.

   • CORS settings are cached; therefore, recycle the EmpowerID environment for changes to take effect.

Step 4 – Upload Certificate to EmpowerID

To configure the authentication request, you must upload the certificate signing certificate that you had previously downloaded from the Okta platform. This certificate will be used as the signing certificate.

1. Navigate to SSO Components.

   • From the navigation bar, go to Apps and Authentication > SSO Connections > SSO Components.

2. Upload Certificate.

   1. Click on the Certificates tab and the icon to upload a new certificate.
      
      

       

   2. Select Upload Certificate, choose the Certificate Owner, and then upload the certificate downloaded from Okta.

       

       

3. Click Save.

Step 5 – Create a SAML Connection in EmpowerID

1. On the navbar, expand Apps and Authentication > SSO Connections and click SAML.

2. Click the Add New icon.
   
   

    

3. Fill in the required fields as outlined in the table below:
   

    

    

4. Under Identity Provider URL Details, Enter the Identity Provider Single Sign-On URL from the Okta SAML application integration.
   
   

    

5. Under Logout URL, enter the Logout URL and the Logout SAML HTTP Protocol used.

   • The Logout URL is the Single Logout (SLO) URL provided by Okta. This URL will handle the logout process, ensuring the user's session is terminated in both EmpowerID and Okta.

   • The Logout SAML Protocol is the HTTP method to send SAML requests. To configure Okta in EID, please select the HTTPPost option.
     
     

      

6. Under Account Information, select whether to create a new Account Directory or to select an existing Account Directory.
   
   

    

7. Under Certificates, please provide the necessary information related to the Certificates for the SAML connection.

   • The Signing Certificate is used by the IdP to digitally sign the SAML assertions and messages it sends to the SP. When receiving these messages, the SP can use the IdP's signing certificate to verify the message's integrity and authenticity. It should be the public key.

   • The SP uses the Verifying Certificate to verify the digital signatures on SAML assertions and messages the IdP sends. The SP uses the verifying certificate to ensure that the trusted IdP genuinely signs the messages it receives and that they haven't been altered or forged.

8. Click on the Authn Request tab and select Create a New Authentication Request. You have the option to create a new one or use an existing SAML Authentication Request. Enter the required details to create a new authentication request and click on Save.
   
   

    

Step 6 – Testing the Configuration

Test the configuration by logging in to EmpowerID using Okta credentials.