Configure Okta for SAML SSO¶
Introduction¶
Okta is an Identity and Access Management solution that can be used for SAML Single Sign-On (SSO) with the CIS SecureSuite Platform.
This guide explains how CIS SecureSuite Platform System Admins can configure Okta as their organization's identity provider for SSO.
Steps¶
1. Create and configure SAML application.
2. Get SAML metadata.
3. Disable Federation Broker Mode.
4. Connect Okta application to the CIS SecureSuite Platform.
Tip
We recommend having the CIS SecureSuite Platform opened and on the IdP page in Admin. You'll need to copy/paste values from the IdP to the CIS SecureSuite Platform and vice versa.
Create and configure SAML Application¶
Start by creating and configuring the SAML application in Okta.
1. Log in to your Okta account.
2. From the left navigation, go to Applications > Applications.
3. Select Create App Integration.
4. Select SAML 2.0 and then Next.
Configure General Settings¶
- In App name, enter a user-friendly, descriptive name (e.g., SecureSuite SSO) and select Next.
Configure SAML Settings¶
-
Configure the fields as follows:
- Single sign-on URL: Enter or copy/paste the Redirect URI found on the IdP page in the CIS SecureSuite Platform's Admin area.
- Use this for Recipient URL and Destination URL: Leave checkbox checked since both are usually the same.
- Audience URI (SP Entity ID): Enter or copy/paste the SP Entity ID found on the IdP page in the CIS SecureSuite Platform's Admin area.
- Default RelayState: Leave as blank.
- Name ID Format: Leave as unspecified
- Application username: Leave as Okta username.
- Update application username on: Leave as Create and update.
Note
If you need to configure or view advanced settings, select Show Advanced Settings. None of the advanced settings are required for setting up SAML SSO for the CIS SecureSuite Platform.
Configure Attribute Statements¶
Next, scroll down from the SAML settings to configure attributes, which provide information about the user and are sent as part of a SAML assertion.
1. Configure as follows:
- Name: Enter username.
- Name format: Leave as Unspecified.
- Value: Enter or select user.login.
2. Select Add Another.
3. Repeat steps 1-2 until you have added all the attributes shown in the table below:
| Name | Name format | Value |
|---|---|---|
| username | Unspecified | user.login |
| firstName | Unspecified | user.firstName |
| lastName | Unspecified | user.lastName |
| Unspecified | user.email |
4. Select Next to finish creating the SAML application.
Finish Creating Application¶
1. Select This is an internal app that we have created.
2. Select Finish.
The application will be created, and you will automatically land on the application's Sign On tab. This is where to find the SAML metadata necessary to connect the SAML application to the CIS SecureSuite Platform.
Get SAML Metadata URL, File, or Information¶
To establish the connection between the Okta SAML application and the CIS SecureSuite Platform, you need the SAML application's metadata. This metadata can be brought into the CIS SecureSuite Platform through a URL, file, or manual input.
Get Metadata URL¶
- Find the Metadata URL and select Copy use when configuring the IdP in the CIS SecureSuite Platform.
Get Metadata File¶
1. Copy the metadata URL.
2. Paste the URL into a browser and save it as a file to use when configuring the IdP in the CIS SecureSuite Platform.
Get Metadata Information¶
Tip
If inputting the SAML metadata manually into the CIS SecureSuite Platform, consider having Okta and the CIS SecureSuite Platform open to copy/paste the values.
1. Copy or note down the value for Sign on URL to enter into the SSO Service URL field field on the CIS SecureSuite Platform IdP page.
2. Copy or note down the value for Issuer to enter into the IdP Entity ID field on the CIS SecureSuite Platform Idp page.
3. For Signing Certificate, select Copy to get the certificate to enter into the SAML Signing Certificate field on the the CIS SecureSuite Platform IdP page.
Disable Federation Broker Mode¶
Federation Broker Mode prevents specific users and groups from being assigned to the application.
1. Go to General tab of the application.
2. Verify that Federation Broker Mode is disabled.
3. (If enabled) Select Edit, then Disable Federation Broker Mode, then Continue.
4. Select Save.
Connect Okta Application to the CIS SecureSuite Platform¶
With the SAML metadata URL, file, or information, finish setting up SSO with Okta by connecting the IdP to the CIS SecureSuite Platform.
1. Open the CIS SecureSuite Platform.
2. Go to Admin > IdP.
3. From the External Identity Provider dropdown, select SAML.
4. Complete the fields by providing the metadata URL, uploading the metadata file, or entering the information manually.
Tip
Refer to the Connect with SAML procedure for detailed instructions on this step.
5. Select Submit to establish the connection.