Connect to Okta IDP using SAML 2.0

This article describes how to integrate ACP with Okta IDP using SAML 2.0.

About SAML

Security Assertion Markup Language (SAML) is an XML-based open standard that allows to transfer user’s identity data between the identity providers and the service providers.

SAML has its benefits that include the following:

  • Improved user experience

    SAML allows the users to use the Single Sign On (SSO). The user can authenticate with the IDP and then access the service protected by ACP without additional authentication.

  • Reduced costs of administration for service providers

    SAML reuses a single act of authentication for multiple times, which may reduce costs of maintaining account data.

  • Risk transfer

    Using SAML shifts the responsibility for identity management and IAM-related risks from the service provider to the identity provider.

Prerequisites

You have an Okta account.

Connect Okta SAML IDP

  1. In ACP, go to Identities > CREATE IDENTITY.

  2. Choose SAML and select NEXT.

  3. Log into your Okta account and go to the Applications > Add application > Create New App.

    Result

    A pop-up window appears where you can create a new application integration.

  4. For platform, choose Web and for the sign on method choose SAML 2.0.

  5. Provide a name for your application, add a logo and configure the visibility of your application. Select NEXT.

    Creating new app integration with SAML

  6. In the Configure SAML tab, select Download Okta certificate.

  7. Open the saved certificate with your favorite text editor that can display .cert files and copy its content.

    Example

    The certificate should look similar to the following:

    -----BEGIN CERTIFICATE-----
    MIIDvDCCAqSgAwIBAgIGAXnRtHz2MA0GCSqGSIb3DQEBCwUAMIGeMQswCQYDVQQGEwJVUzETMBEG
    A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
    MBIGA1UECwwLU1NPUHJvdmlkZXIxHzAdBgNVBAMMFmNsb3VkZW50aXR5LXdrb3Rsb3dza2kxHDAa
    BgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMjEwNjAzMTE0NzU3WhcNMzEwNjAzMTE0ODU3
    WjCBnjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFu
    Y2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMR8wHQYDVQQDDBZjbG91
    ZGVudGl0eS13a290bG93c2tpMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkq
    hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0bYLhHZXo/oKxMtKMUUaAmkbgr0U9f/KYBosVQmTPoKe
    S/dg3OQYEmUozVbu07COPdJ3gz8CcXf0NIxjhf9Fso2vrbRfAisdxJjh/ec0Q2YR5hisTWGF0ZCZ
    YoTiI2pGnCmnqLhBLuEdvew+hhqi3knZ2yoobiUuwj0UXOzOW4RmaPRCmu1MvJl1BWJ9IykQAfEM
    L61fr1fpfymZ857MDmGPp7XnHCz/6duZ4yfzqV2QRNvP6kM/DesWvakO/fMEbc8Lkv4pKRfltWcq
    yF4jCxObA9NxVf8lEaIJ74QqMo7uUs4wXnld9ff5I1D9ygjwO114yV41TdZTTqQMnXbGGQIDAQAB
    MA0GCSqGSIb3DQEBCwUAA4IBAQBAvmbUn7pcTn5XKtW+HnzYOUdtqHq5Sg8KROaRFvMpQylrRqJe
    t2qtRhs9k17pHyGCzKRZUnGS8Jj/X1ZWa1M8fAlzb33chCNKlz8Ei34r9Fk7j6FmvgmAZwZIwpL1
    Ffss3dJ0eGyWMWtSO2ifPrV3jZ85vDAw3iFToujosxJHuEOU6pIPFS3eZ0TfbrRZJiKDkX08ISLg
    P4hu3khLd5bRx4BvLKGlPppF2ls4str4pjBiC4DuUNVo+C7XAQjyjdCv8P2TQZKQeo8OkpRM1EW3
    DpRLRM3dtzJ7xbOPZBb5tFAuLr/sHdqsQ5k/WUKu5srZpS+oGN6Gs/ScO2RwGZnN
    -----END CERTIFICATE-----
    
  8. Go to ACP and paste the certificate to the IDP certificate text area.

  9. Provide a name for your IDP and a dummy sign-in URL.

    Creating SAML IDP in ACP

  10. Select SAVE.

    Result

    Your new SAML IDP is created.

    Note

    The Entity issuer from ACP maps to the Okta’s Audience URI and the Redirect URL maps to the Okta’s Single sign on URL.

  11. Copy the Entity issuer value and paste it in the Okta’s Audience URI field.

  12. Copy the Redirect URL value from ACP and paste it in the Okta’s Single sign on URL field.

    Configuring SAML in Okta

  13. Configure the rest of the fields as needed and select Next.

  14. Provide your feedback for Okta and select Finish.

    Result

    Your application is created.

    You are now able to provide a correct Sing in URL in your ACP SAML IDP configuration.

  15. Click View Setup Instructions.

  16. Copy the Identity Provider Single Sign-On URL value.

  17. Go to ACP > Identities > Your SAML IDP.

  18. Paste the URL in the Sign in URL and select Save.

    Result

    Your SAML IDP is configured and ready to be used.

User’s test

  1. In Okta, make sure that your user is assigned to the application.

    Tip

    You can check your user assignments in Okta > Applications > People or Groups.

  2. In ACP, go to Workspace Directory > User Portal.

    Expected result

    If you have more IDPs configured, the new SAML IDP is added to the list of available IDPs that you may choose to use. If the SAML IDP is the only IDP you have configured for your users, they are directly taken to the Okta’s login screen.

    Okta login page