Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: How to Configure SAML Integration with Okta

App Control: How to Configure SAML Integration with Okta

Environment

  • App Control Console: All Supported Versions
  • Okta: All Supported Versions

Objective

How to configure Okta SAML Integration with App Control

Resolution

In the App Control Console:
  1. Go to System Configuration > SAML Login.
  2. In the Service Provider section, switch from "XML" to "Manual" view and take note of the following URLs:
    Entity ID: https://APPCSERVER/simplesaml/module.php/saml/sp/metadata.php/default-sp
    Single Sign-On URL: https://APPCSERVER/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp

Login to Okta:

  1. On the main page, click the "Admin" button on the top right.
  2. Click "Add Applications" on the right side menu.
  3. Click the "Create New App" button on the left.
  4. Select "Web" and "SAML 2.0" and click "Create".
  5. Enter App name and other options then click "Next".
  6. Single sign-on URL use:
    https://APPCSERVER/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp
  7. Audience URI use:
    https://APPCSERVER/simplesaml/module.php/saml/sp/metadata.php/default-sp
  8. Configure the Name ID Format to use Email Address
  9. Application username: Email
  10. Complete the internal app creation
  11. On the next screen, right click "Identity Provider metadata" and select "Save link as" and save the XML file.

In the App Control console:

  1. Go to  System Configuration > SAML Login.
  2. Click "Add Identity Provider".
  3. Enter a provider name (This will appear on the login page).
  4. Click "Choose File" > point to the XML and Save.

You should now be able to login to the App Control console from the Applications section in the Okta app


Additional Notes

A user with an email address matching the Okta email address must be configured in the App Control console before successful login could happen. The user console login could be created initially either:
  • Manually from the Login Accounts menu in the console
  • By logging in with an Active Directory user account first before attempting SAML
The expected SAML assertion name id format should look similar to:
<  NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">user@example.com</NameID>

 

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
0% helpful (0/1)
Article Information
Author:
Creation Date:
‎09-09-2020
Views:
2921
Contributors