Configuring SAML-based SSO with Okta

This is a quickstart guide to configure SAML 2.0-based Single Sign-on with a Softadmin® system as Service Provider and Okta as Identity Provider.

Before getting started

All stakeholders should agree on which information about users that the Identity Provider will share with the Softadmin® system and how end user permissions in the Softadmin® system will be administered.

Firewalls must allow the Softadmin® system to make https requests to the Okta system.

Participants

  • A Softadmin® administrator
  • An Okta administrator

During configuration the administrators will need to share some system-specific configuration values with each other.

The Softadmin® administrator will share:

  • Service Provider Identity
  • Service Provider Postback URL

The Okta administrator will share:

  • Identity Provider Metadata URL
  • Sample Assertion

Softadmin® administrator

  1. Choose a Service Provider Identity for the Softadmin® system. Use the system's own URL (for example https://softadmin.example.com) unless you have good reasons not to. Set the system setting SingleSignOnSamldentity to this identity.

  2. Set SingleSignOnLoginProcedure to the name of the stored procedure that will extract user attributes from the SAML Assertion. Read more

  3. Set SingleSignOnSamlAllowUnsolicitedResponses to Yes so that end users can open the Softadmin® system by from their Okta dashboard.

  4. The Service Provider Postback URL is the location of the system's LoginPostback.aspx-page, for example https://softadmin.example.com/LoginPostback.aspx.

  5. Share the Service Provider Postback URL and the Service Provider Identity with the Okta administrator.

Okta administrator

See the Okta documentation if you need further details on adding a new integration.

  1. In Applications, click Add Application and then Create New App.

  2. Choose Platform Web and Method SAML 2.0. Click Create.

  3. In General Settings, enter an appropriate App name. Click Next.

  4. In Configure SAML, enter the Service Provider Postback URL you received into the Single sign on URL field, enter the Service Provider Identity into the Audience URI (SP Entity ID) field.

  5. Under Attribute Statements and Group Attribute Statements, enter all previously agreed upon attributes to share with the Softadmin® system.

  6. Click Preview the SAML Assertion to generate the Sample Assertion and save it.

  7. Click Next and then Finish.

  8. Scroll down to the SAML 2.0 section and click the Identity Provider metadata link to get the Identity Provider Metadata URL.

  9. Share the Identity Provider Metadata URL and the Sample Assertion with the Softadmin® administrator.

  10. Switch to the Assignment tab and assign users or groups to the application.

Softadmin® administrator

  1. Verify that the Sample Assertion can be parsed by SingleSignOnLoginProcedure.

  2. Enter the Identity Provider Metadata URL into the SingleSignOnSamlMetadataUrl system setting.

  3. Change the SingleSignOn system setting to SAML 2.0.