Connect to Okta IDP using SAML 2.0
This article describes how to integrate ACP with Okta IDP using SAML 2.0.
About SAML
Security Assertion Markup Language (SAML) is an XML-based open standard that allows to transfer user’s identity data between the identity providers and the service providers.
SAML has its benefits that include the following:
-
Improved user experience
SAML allows the users to use the Single Sign On (SSO). The user can authenticate with the IDP and then access the service protected by ACP without additional authentication.
-
Reduced costs of administration for service providers
SAML reuses a single act of authentication for multiple times, which may reduce costs of maintaining account data.
-
Risk transfer
Using SAML shifts the responsibility for identity management and IAM-related risks from the service provider to the identity provider.
Prerequisites
You have an Okta account.
Connect Okta SAML IDP
-
In ACP, go to Identities > CREATE IDENTITY.
-
Choose SAML and select NEXT.
-
Log into your Okta account and go to the Applications > Add application > Create New App.
Result
A pop-up window appears where you can create a new application integration.
-
For platform, choose Web and for the sign on method choose SAML 2.0.
-
Provide a name for your application, add a logo and configure the visibility of your application. Select NEXT.
-
In the Configure SAML tab, select Download Okta certificate.
-
Open the saved certificate with your favorite text editor that can display
.cert
files and copy its content.Example
The certificate should look similar to the following:
-----BEGIN CERTIFICATE----- MIIDvDCCAqSgAwIBAgIGAXnRtHz2MA0GCSqGSIb3DQEBCwUAMIGeMQswCQYDVQQGEwJVUzETMBEG A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU MBIGA1UECwwLU1NPUHJvdmlkZXIxHzAdBgNVBAMMFmNsb3VkZW50aXR5LXdrb3Rsb3dza2kxHDAa BgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMjEwNjAzMTE0NzU3WhcNMzEwNjAzMTE0ODU3 WjCBnjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFu Y2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMR8wHQYDVQQDDBZjbG91 ZGVudGl0eS13a290bG93c2tpMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkq hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0bYLhHZXo/oKxMtKMUUaAmkbgr0U9f/KYBosVQmTPoKe S/dg3OQYEmUozVbu07COPdJ3gz8CcXf0NIxjhf9Fso2vrbRfAisdxJjh/ec0Q2YR5hisTWGF0ZCZ YoTiI2pGnCmnqLhBLuEdvew+hhqi3knZ2yoobiUuwj0UXOzOW4RmaPRCmu1MvJl1BWJ9IykQAfEM L61fr1fpfymZ857MDmGPp7XnHCz/6duZ4yfzqV2QRNvP6kM/DesWvakO/fMEbc8Lkv4pKRfltWcq yF4jCxObA9NxVf8lEaIJ74QqMo7uUs4wXnld9ff5I1D9ygjwO114yV41TdZTTqQMnXbGGQIDAQAB MA0GCSqGSIb3DQEBCwUAA4IBAQBAvmbUn7pcTn5XKtW+HnzYOUdtqHq5Sg8KROaRFvMpQylrRqJe t2qtRhs9k17pHyGCzKRZUnGS8Jj/X1ZWa1M8fAlzb33chCNKlz8Ei34r9Fk7j6FmvgmAZwZIwpL1 Ffss3dJ0eGyWMWtSO2ifPrV3jZ85vDAw3iFToujosxJHuEOU6pIPFS3eZ0TfbrRZJiKDkX08ISLg P4hu3khLd5bRx4BvLKGlPppF2ls4str4pjBiC4DuUNVo+C7XAQjyjdCv8P2TQZKQeo8OkpRM1EW3 DpRLRM3dtzJ7xbOPZBb5tFAuLr/sHdqsQ5k/WUKu5srZpS+oGN6Gs/ScO2RwGZnN -----END CERTIFICATE-----
-
Go to ACP and paste the certificate to the IDP certificate text area.
-
Provide a name for your IDP and a dummy sign-in URL.
-
Select SAVE.
Result
Your new SAML IDP is created.
Note
The Entity issuer from ACP maps to the Okta’s Audience URI and the Redirect URL maps to the Okta’s Single sign on URL.
-
Copy the Entity issuer value and paste it in the Okta’s Audience URI field.
-
Copy the Redirect URL value from ACP and paste it in the Okta’s Single sign on URL field.
-
Configure the rest of the fields as needed and select Next.
-
Provide your feedback for Okta and select Finish.
Result
Your application is created.
You are now able to provide a correct Sing in URL in your ACP SAML IDP configuration.
-
Click View Setup Instructions.
-
Copy the Identity Provider Single Sign-On URL value.
-
Go to ACP > Identities > Your SAML IDP.
-
Paste the URL in the Sign in URL and select Save.
Result
Your SAML IDP is configured and ready to be used.
User’s test
-
In Okta, make sure that your user is assigned to the application.
Tip
You can check your user assignments in Okta > Applications > People or Groups.
-
In ACP, go to Workspace Directory > User Portal.
Expected result
If you have more IDPs configured, the new SAML IDP is added to the list of available IDPs that you may choose to use. If the SAML IDP is the only IDP you have configured for your users, they are directly taken to the Okta’s login screen.