How to configure Okta for SSO

This topic details how to configure Okta for single sign-on (SSO). Okta is a common identity provider with wide application support.

This topic is part of Phase Two in Configuring SAML SSO authentication. For an overview of the complete process, see Working with SAML for single sign-on (SSO).

IMPORTANT  Before completing these steps, you will need to follow the steps in Prepare Venafi Platform for SAML SSO. You will need configuration information from the Venafi Service Provider Metadata XML file to complete this process.

You must have an existing functional Okta deployment to use these steps. These instructions detail how to add a new Application (Venafi Platform) to Okta. Consult the Okta documentation if you need to configure Okta to obtain data from your identity store.

Before you begin, you will want to consult with your identity provider management team to determine who should be able to authenticate to Venafi Platform via Okta. You'll need that information near the end of the procedure below.

IMPORTANT  While Venafi makes an effort to provide accurate information on third-party integration steps, these steps may differ for your service provider, especially as identity providers release new updates. If you have questions about how to use this third-party integration, we recommend you start with the vendor's documentation and support teams. These instructions should be considered a template, not definitive steps. Your specific steps may vary, depending on how your organization integrates with each third-party platform.

To configure Okta for single sign-on

  1. Log in to the Okta Classic UI.
  2. From the menu, click Applications Applications.
  3. Click Add Application.

  4. Click Create New App.

    You should see the Create a New Application Integration dialog box.

  5. For Platform, select Web.
  6. For Sign on method, select SAML 2.0.

  7. Click Create.

    You should see the Create SAML Integration page, opened to step 1, General Settings.

  8. Enter a unique name for the Venafi Platform cluster you are integrating with.

    The name must be unique in your Okta application list.

  9. [Optional] Add a logo if desired, then click Next (leaving the boxes unchecked).

    You should see step 2, Configure SAML.

    Okta does not allow you to import the SP Metadata XML file, so for the next step, you will need to copy information from the SAML Properties window in Venafi Configuration Console.

  10. In General settings:

    1. In Single sign on URL, paste the corresponding URL from the Service provider details section of the SAML Properties window in Venafi Configuration Console.

      For example: https://test.venafi.com/aperture/api/saml/acs

    2. Select the box for Use this for Recipient URL and Destination URL.
    3. Leave the box unselected for Allow this app to request other SSO URLs.

    4. In Audience URI (SP Entity ID), paste the corresponding URL from the Service provider details section of the SAML Properties window in Venafi Configuration Console.

      For example: https://test.venafi.com/aperture/api/saml/acs

    5. Leave Default RelayState empty.
    6. For Name ID format, select EmailAddress.
    7. For Application username, select Email.

  11. Click  Show Advanced Settings, and complete the following fields:

    Okta Application advanced configuration settings
    Field Value
    Response Signed
    Assertion Signature Unsigned
    Signature Algorithm RSA-SHA256
    Assertion Encryption Unencrypted
    Enable Single Logout Leave unselected
    Authentication Context Class: PasswordProtectedTransport
    Honor Force Authentication Yes
    SAML Issuer ID Leave blank

  12. Leaving all the rest of the attributes in their default state, scroll to the bottom of the form and click Next.

    You will be taken to step 3: Feedback.

  13. Select I'm an Okta customer adding an internal app.

  14. Click Finish.

    The application integration will be created, and you'll be taken to the application details page.

  15. On the Sign On tab, under Settings > Sign On Methods, click Identity Provider metadata.

  16. Download the IdP Metadata XML file on the Venafi Platform host.

    For example: Okta-IdP-metadata.xml (the file name is irrelevant).

    TIP  Make sure your text editor does not add any non-text characters to the file.

  17. On the Assignments tab, click Assign > Assign to people.
  18. For each user you want to be able to access Venafi Platform via SAML, click the Assign button next to their name, then click the Save and Go Back button.
  19. Repeat the last step for each user, then click Done.

You are ready to finish configuring SSO in Venafi Configuration Console. See Importing Identity Provider Metadata XML into Venafi Configuration Console for SAML.