SSO - OKTA

Overview

To configure Okta as Identity Provider (IdP) and Xygeni as Service Provider (SP), you should first contact Xygeni to request data needed to properly configure the SAML integration between Okta and Xygeni.

You must provide the following information to Xygeni:

  • IDP Sign on URL: URL of the Identity Provider (or IDP, Okta in this case) against which the Xygeni user is going to authenticate

  • Entity ID or Issuer: Globally unique name for an Identity Provider or a Service Provider, is a URI used to identify the issuer of a SAML request, response, or assertion

  • URL Metadata: URL Metadata is the discovery information that the IDP exposes, to securely interoperate

  • Signing Certificate : Allows the Service Provider (or SP, Xygeni in this case) to verify the authenticity of the SAML response

Once submitted above info to Xygeni, you will receive some information back needed to properly configure the integration. This information will contain:

  • SP Single Sign on URL: SP's URL that processes the SAML response, verifies and validates it.

How to obtain the information to be sent to Xygeni

Create an Okta App

Login to Okta, go to Applications and click on Create App Integration

A new window will open to specify the Sign-in method. Choose the SAML 2.0 option and click Next.

Okta will redirect you to the workflow to create your SAML integration.

Under General Settings, you must first specify App Name (choose whatever name you prefer to identify your app integration, in our example we will use "xy1" )

Upon click on Next, Configure SAML tab will appear.

There are several frames into this section. First is A - SAML Settings

  • Single sign-on URL : Location where the SAML assertion is sent with a HTTP POST. This is often referred to as the SAML Assertion Consumer Service (ACS) URL for your application.

This value will be provided by Xygeni and it will follow this pattern https://api.xygeni.io/sso/details/[xygeni_customer_id]-[okta_app_name]

In our case, let's say that customer id = 20, then the value would be https://api.xygeni.io/sso/details/20-xy1

Although the exact value for this field will be supplied by Xygeni, at this moment you can enter a dummy value such as above.

  • Audience URI (SP Entity ID) : The application-defined unique identifier that is the intended audience of the SAML assertion. This is most often the SP Entity ID of your application.

This value will be provided by Xygeni and it will follow this pattern [xygeni_customer_id]-[okta_app_name]

In our case, let's say that customer id = 20, so the value would be 20-xy1 Although the exact value for this field will be supplied by Xygeni, at this moment you can enter a dummy value such as above.

Scroll down and click on Next. Then, a new window will appear asking whether you are a customer or partner. Select “I’m an Okta customer adding an internal app” option and click Finish.

Gathering of info to send to Xygeni

Select the app just created and click on Sign on tab

Click on More details and you will find some useful information to be provided to Xygeni.

Copy the above information, download the Signing Certificate and send it to Xygeni.

Assign people/groups to Okta application

Do not forget to assign people to your just created integration app. To do it, select the Assignments tab and include people/groups as needed.

IMPORTANT: The username of Okta must already be an existing Xygeni user !!

Sending info to Xygeni and final steps

Once that you have sent to Xygeni the above information, Xygeni will send back to you :

SP Single Sign on URL: SP's URL that processes the SAML response, verifies and validates it.

Review you Okta application to check that the received value matches the value provided as Single sign-on URL

If they don't match, update the okta app value to the value provided by Xygeni.

Testing the Okta - Xygeni integration

Now, you are able to test the application integration.

Login from Xygeni

To do it you can go to Xygeni login page ( https://in.xygeni.io/auth/login ) and after specifying your login name you will be presented to a page where you can enter your password or click on the Okta button.

Last updated