SSO - OKTA
Last updated
Last updated
To configure Okta as Identity Provider (IdP) and Xygeni as Service Provider (SP), you should first contact Xygeni to request data needed to properly configure the SAML integration between Okta and Xygeni.
You must provide the following information to Xygeni:
IDP Sign on URL: URL of the Identity Provider (or IDP, Okta in this case) against which the Xygeni user is going to authenticate
Entity ID or Issuer: Globally unique name for an Identity Provider or a Service Provider, is a URI used to identify the issuer of a SAML request, response, or assertion
URL Metadata: URL Metadata is the discovery information that the IDP exposes, to securely interoperate
Signing Certificate : Allows the Service Provider (or SP, Xygeni in this case) to verify the authenticity of the SAML response
Once submitted above info to Xygeni, you will receive some information back needed to properly configure the integration. This information will contain:
SP Single Sign on URL: SP's URL that processes the SAML response, verifies and validates it.
Login to Okta, go to Applications and click on Create App Integration
A new window will open to specify the Sign-in method. Choose the SAML 2.0 option and click Next.
Okta will redirect you to the workflow to create your SAML integration.
Under General Settings, you must first specify App Name (choose whatever name you prefer to identify your app integration, in our example we will use "xy1" )
Upon click on Next, Configure SAML tab will appear.
There are several frames into this section. First is A - SAML Settings
Single sign-on URL : Location where the SAML assertion is sent with a HTTP POST. This is often referred to as the SAML Assertion Consumer Service (ACS) URL for your application.
This value will be provided by Xygeni and it will follow this pattern https://api.xygeni.io/sso/details/[xygeni_customer_id]-[okta_app_name]
In our case, let's say that customer id = 20, then the value would be https://api.xygeni.io/sso/details/20-xy1
Although the exact value for this field will be supplied by Xygeni, at this moment you can enter a dummy value such as above.
Audience URI (SP Entity ID) : The application-defined unique identifier that is the intended audience of the SAML assertion. This is most often the SP Entity ID of your application.
This value will be provided by Xygeni and it will follow this pattern [xygeni_customer_id]-[okta_app_name]
In our case, let's say that customer id = 20, so the value would be 20-xy1 Although the exact value for this field will be supplied by Xygeni, at this moment you can enter a dummy value such as above.
Scroll down and click on Next. Then, a new window will appear asking whether you are a customer or partner. Select “I’m an Okta customer adding an internal app” option and click Finish.
Select the app just created and click on Sign on tab
Click on More details and you will find some useful information to be provided to Xygeni.
Copy the above information, download the Signing Certificate and send it to Xygeni.
Do not forget to assign people to your just created integration app. To do it, select the Assignments tab and include people/groups as needed.
IMPORTANT: The username of Okta must already be an existing Xygeni user !!
Once that you have sent to Xygeni the above information, Xygeni will send back to you :
SP Single Sign on URL: SP's URL that processes the SAML response, verifies and validates it.
Review you Okta application to check that the received value matches the value provided as Single sign-on URL
If they don't match, update the okta app value to the value provided by Xygeni.
Now, you are able to test the application integration.
To do it you can go to Xygeni login page ( https://in.xygeni.io/auth/login ) and after specifying your login name you will be presented to a page where you can enter your password or click on the Okta button.
