OKTA authentication configuration SAML

This how-to guide describes how to configure Unit4 Identity Services with OKTA - Saml 2.0.

Prerequisites

  • Administrative access to OKTA
  • Knowledge of OKTA and how to create an OKTA application
  • U4IDS authority address (in the rest of this topic we use https://<address of U4IDS installation>/identity as the address of the U4IDS installation's identity endpoint with sample value https://u4ids-sandbox2.azurewebsites.net)
  • Access to U4IDS in order to create tenant

The list of official IDS environments can be found here

Steps

Setup trust between U4IDS and your OKTA as follows:

  1. Create a new OKTA Application
    1. Create a new OKTA application
    2. Set the redirect URIs
    3. Get the Entity id
    4. Get the metadata address
  2. Register the OKTA application as a tenant in U4IDS
    1. Select the Unit 4 identity claim type and Name claim type
    2. Set the authority and idpRegId

Register U4IDS as an application in OKTA

Follow these steps:

Create a new OKTA Application

Create a new Application on your OKTA account by clicking Create Application button in the Applications section.

Select SAML 2.0 as the authentication method.

Give the application a name indicating that it is used for U4IDS authentication.

Set the redirect URIs

Enter the U4IDS acs URL in Single sign on URL field following the pattern https://<address of U4IDS installation>/identity/AuthServices/acs. Make sure that "Use this for Recipient URL and Destination URL" is checked.

Tab to Sign On menu and click for the link Identity Provider metadata

It will open new tab with metadata content.

Save the metadata Url as Authority and the entityId as IdpRegId.

Go to the Assignments tab and assign all users which will be able to use SSO as authentication method to your U4F website.

Register the OKTA application as a tenant in U4IDS

After the above steps are done, the collected information may be inserted into the Tenant resource in U4IDS:

  {
    "authority": "<your OKTA metadata URL>",
    "idpRegId": "<your OKTA Entity Id>",
    "nameClaimType": "name",
    "protocol": "saml2",
    "tenantId": "<your Unit4 tenant ID>",
    "unit4IdClaimType": ["email"]
  }

When using U4IDS portal this could look like:

Select a unit4IdClaimType

For the unit4IdClaimType claim type the value of email was used but you could use another claim that is unique for a user in OKTA.

Set the idpRegId and idpSecret

The authority in IDS is the value of The metadata endpoint from OKTA. The idpRegId of IDS is the value of Entity Id from OKTA.