Configure Okta SAML 2.0 IdP for JIT
Objective
This page describes the Okta SAML 2.0 setup with JIT and Non JIT flows.
Integrating Access Management 2.0 with Okta SAML 2.0
This section shows how to integrate Access Management 2.0 (AM 2.0) with Okta, where Okta will serve as the Identity Provider (IdP). The protocol used for authentication is SAML 2.0. Steps involve exchanging the IdP Metadata (URL generating XML) and the Service Provider Metadata URL between the IdP and the AM 2.0 SP.
Step 1: Identity provider in AM 2.0.
Login to AM 2.0 Admin Console. Select the maactive realm.
Note: In case you have Restricted Admin Access on AM 2.0, then use the URL:
https://<stack_name>-auth.<domain_name>/auth/admin/maactive/console/
Click on the Identity Providers option from the left panel and select SAML v2.0 from the list of providers.
Enter the Alias. This will be the default display name on the login page.
Please note that the Alias forms a part of the redirect URL. In case it does not reflect, you can create the Redirect URI yourself and keep the URL handy.
Eg. if Alias is set as - samlokta
Redirect URI - https://localdocker:8443/auth/realms/sample/broker/samlokta/endpointOptionally enter Display Name. This is the name that will be displayed, in case you need it to be different from the alias.
Take note of the Service provider entity ID value from the same page.
Step 2: SAML 2.0 App Registration in Okta
Next, we need to create an IDP in Okta. In the Okta admin page, go to Applications → Click Create App Integration.
Select the SAML 2.0 radio button, and click Next.
Provide the application name under the App name, and click Next.
Copy Redirect URI from AM 2.0’s provider page, from Step 1. Configure this URL in the Single sign on URL field.
Copy the Service Provider Entity ID from AM 2.0’s provider page, from Step 1 and configure this URL in the Audience URI field.
Leave other fields to default values. Hit Next. Select the fields as indicated below and select Finish.
Step 3: Get the IdP Metadata URL From Okta
Now in the same Okta application configuration page, click on the Sign On tab. You will find the metadata URL here. Please copy this URL and we will configure this in AM 2.0
Step 4: Configure AM 2.0 With IdP Metadata
Paste the metadata link from Okta in the SAML entity descriptor field on AM 2.0’s provider page. If the URL is correct, you will see a green tick on the right.
Click on Add. This will create a basic SP configuration on AM 2.0 for this Okta application.
Step 5: Configure other fields on AM 2.0
Scroll down and set the Want AuthnRequests signed option to be On.
Now scroll to the bottom of AM 2.0’s provider configuration page and select First Login Flow and Post Login Flow, if not already pre-selected.
Click on Save.
Step 6: Configure Mapping for JIT (this step is mandatory only if you would like to enable SAML JIT)
In case a customer requires SAML JIT need to be enabled, we need to add 4 mandatory mappers on both sides - AM 2.0 as well as Okta. In case SAML JIT is not required, please skip this step entirely.
To add mappers in AM 2.0, click the Mappers tab on the same SP configuration page. Click on the Add mapper button.
Configure User.UserId mapper by filling in the fields as shown in the image below.
Click on Save.
Similarly, configure User.LocaleId mapper by filling in the fields as shown in the image below.
Click on Save.
Similarly, configure User.PrimaryOrgId mapper by filling in the fields as shown in the image below.
Click on Save.
Similarly, configure User.Roles mapper by filling in the fields as shown in the image below.
Click on Save.
To add mappers on the Okta side to support SAML JIT, go to the General settings tab and click on the Edit button in SAML Settings.
Navigate to the SAML Tab by clicking on the Configure SAML button. Go to the Configure SAML tab and add the 4 attributes as shown below.
Note: the values shown in the above image in the Okta side mapper configuration are only for example. Please enter values as per your requirements.
Click on Next and then click on Finish. You are now done with the SAML JIT configuration.
Step 7: Configure logout
To configure logout, a Signing certificate needs to be extracted from AM 2.0 and saved on the Okta side.
To extract this Signing certificate from AM 2.0, go to Realm settings → Keys → Certificate.
The certificate will look like below:
Follow the template shown below to create a new certificate file.
—–BEGIN CERTIFICATE—–
<PASTE THE CERT HERE!>
—–END CERTIFICATE—–Replace the text “<PASTE THE CERT HERE!>” with the copied certificate data from above. It should look like this after the replace:
This file needs to be saved on the Okta side. Now on the Okta side, go to the General settings tab and click the Edit button in SAML Settings. Click on Show Advanced Settings.
The certificate saved goes in the Signature Certificate field.
Get the Single Logout URL from the AM 2.0 metadata URL of this realm. The metadata link can be found on the IDP configuration page, as shown below.
The metadata will look like below:
Extract this URL and save it in the Single Logout URL field.
The SP issuer will be the same as the SP Entity ID, which we saw in Step 1.
After saving all of these changes, go to the Sign On tab in Okta and get the metadata URL.
Okta metadata will now have a SingleLogoutService field populated to reflect the Logout URL.
Use this URL to configure the logout on the AM 2.0 side. Save the change.
Step 8: Additional attributes configuration
- In case additional attributes are needed, they can be configured as well. Below is a list of attributes can be configured. You will have to pass the attribute from the IDP side to receive on SP side.
Keycloak Attribute Name | SAML Attribute Name | Multi Valued or Not |
---|---|---|
User.UserId | User.UserId | No |
User.PrimaryOrgId | User.PrimaryOrgId | No |
User.FirstName | User.FirstName | No |
User.LastName | User.LastName | No |
User.LocaleId | User.LocaleId | No |
User.DateOfBirth | User.DateOfBirth | No |
User.UserOrgs | User.UserOrgs | Yes |
User.Locations | User.Locations | Yes |
User.Roles | User.Roles | Yes |
User.Gender | User.Gender | No |
User.Address1 | User.Address1 | No |
User.Address2 | User.Address2 | No |
User.City | User.City | No |
User.State | User.State | No |
User.PostalCode | User.PostalCode | No |
User.Country | User.Country | No |
User.Phone | User.Phone | No |
User.Email2 | User.Email2 | No |
User.UserTimeZone | User.UserTimeZone | No |
User.AvailableUserLocales | User.AvailableUserLocales | Yes |
Feedback
Was this page helpful?