Set up a SAML application in Okta
1. Click Application from the menu bar.
2. Click Add Application and then Create new Application.
3. In the Create a New Application Integration dialog box, leave Web as the platform and select SAML 2.0 as the protocol that you want to use to sign in. Click Create.
4. On the General Settings, enter a name for the application and then click Next.
Configure SAML Single Sign-On in Okta
1. On the SAML Settings, paste the Assertion Consumer Service (ACS) URL into the SSO URL field. This URL depends on the account domain but generally looks like this: https://<account-domain>:8443/assertion/saml
2. Paste the Issuer ID value from the SAFEQ Cloud SAML configuration into the Audience URI (SP Entity ID) field, or use https://<accountdomain>:8443/ pattern if the issuer ID is empty.
3. Select the Name ID format and Application username that your application requires. For example, EmailAddress and Email, or leave the defaults.
4. In the Attribute Statements (Optional) section, add the required SAML attributes for your application.
5. In the Group Attribute Statements (Optional) section, add the required group attributed for your application.
6. Click Next. On the Feedback page, select “I’m an Okta customer adding an internal app”.
7. Select for the App type “This is an internal app that we have created”.
8. Click Finish.
Assign users to the created application
1. Click on the Assignments tab.
2. Click Assign. Select either Assign to People or Assign to Groups. Enter the people or groups that you want to Single Sign-On into the application. Click Assign for each.
3. For any people you add, verify the user-specific attributes, and then select Save and Go Back.
4. Click Done.
Configure SAML Single Logout in Okta
The configuration for Single Logout must be done in the advanced settings. So click on “Show Advanced Settings” in the configuration screen.
You will then see some additional settings. Among them is the Single Logout.
So, tick Enable Single Logout.
Then add the Single Logout URL. This is a URL that points to the SAFEQ Cloud Web UI. The “domain” host name should be the host name you also used for the single sign-on URL above.
For the Signature Certificate you can use the SAFEQ Cloud Web UI public certificate. Once you have accessed the SAFEQ Cloud Web UI with your browser, the certificate is stored either in your browser (in case of Firefox at least), or is stored in a key chain application of your operating system.
In any case you have to export the certificate to a file and specify it here to upload.
With this configuration you are automatically logged out of Okta when you click the logout button in SAFEQ Cloud Web UI.
The following steps can be done to export the SAFEQ Cloud Web UI certificate from Firefox:
1. open Firefox preferences
2. go to “Privacy & Security
3. scroll down and click “View Certificates” under Security -> Certificates
4. find and select the certificate for the entry with the right hostname and port 8443, which is the SAFEQ Cloud Web UI (except your setup has a different UI port).
5. export the selected certificate
Post your comment on this topic.