Environment
- App Control Console: All Supported Versions
- Okta: All Supported Versions
Objective
How to configure Okta SAML Integration with App Control
Resolution
In the App Control Console:
- Go to System Configuration > SAML Login.
- In the Service Provider section, switch from "XML" to "Manual" view and take note of the following URLs:
Entity ID: https://APPCSERVER/simplesaml/module.php/saml/sp/metadata.php/default-sp
Single Sign-On URL: https://APPCSERVER/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp
Login to Okta:
- On the main page, click the "Admin" button on the top right.
- Click "Add Applications" on the right side menu.
- Click the "Create New App" button on the left.
- Select "Web" and "SAML 2.0" and click "Create".
- Enter App name and other options then click "Next".
- Single sign-on URL use:
https://APPCSERVER/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp
- Audience URI use:
https://APPCSERVER/simplesaml/module.php/saml/sp/metadata.php/default-sp
- Configure the Name ID Format to use Email Address
- Application username: Email
- Complete the internal app creation
- On the next screen, right click "Identity Provider metadata" and select "Save link as" and save the XML file.
In the App Control console:
- Go to System Configuration > SAML Login.
- Click "Add Identity Provider".
- Enter a provider name (This will appear on the login page).
- Click "Choose File" > point to the XML and Save.
You should now be able to login to the App Control console from the Applications section in the Okta app
Additional Notes
A user with an email address matching the Okta email address must be configured in the App Control console before successful login could happen. The user console login could be created initially either:
- Manually from the Login Accounts menu in the console
- By logging in with an Active Directory user account first before attempting SAML
The expected SAML assertion name id format should look similar to:
< NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">user@example.com</NameID>
Related Content