Adding an Okta SSO
Important:To add an Okta SSO, you must have the Administrative privileges in your organization’s Okta SSO and one of the following Flexera One roles: Manage organization or Administer organization. For complete descriptions of each role available in Flexera One, see Flexera One Roles.
Perform the following tasks in sequential order to create a single sign-on using Okta:
Note:For further information on Okta SSO, see:
Step 1: Creating a SAML 2.0 Application in Okta
To create a SAML 2.0 application in Okta, perform the following steps.
To create a SAML 2.0 application:
|
1.
|
Sign in to Okta’s Admin Console using your Okta account’s administrator credentials. |
|
2.
|
Click Applications and then click Add Application. |
|
4.
|
In the Create a New Application Integration window. perform the following steps: |
|
a.
|
For Platform, select Web. |
|
b.
|
For Sign on method, select SAML 2.0. |
|
5.
|
On the Create SAML Integration screen’s General Settings section, complete and save the following fields: |
Note:The app name can only consist of UTF-8, 3 byte characters.
Step 2: Setting Up Okta SSO With SAML 2.0 Using Temporary Values
To set up Okta single sign-on with SAML 2.0 using temporary values, perform the following steps.
To set up Okta SSL with SAML 2.0 using temporary values:
|
1.
|
On the Create SAML Integration screen’s Configure SAML section, complete the following fields with temporary values in an https:// format. You will later populate these fields with actual values. |
|
•
|
Single Sign-On (SSO) URL |
|
•
|
Audience URI (Service Provider Entity ID) |
Step 3: Downloading Okta’s SAML Signing Certificate
To download Okta’s SAML signing certificate, perform the following steps.
To download Okta’s SAML signing certificate:
|
1.
|
On the right side of the Configure SAML section on the Create SAML Integration screen, go to Okta Certificate and click Download Okta Certificate. |
|
2.
|
Save Okta’s SAML signing certificate so that it can be later uploaded to Flexera One. |
|
4.
|
Complete the Create SAML Integration screen’s Feedback section. |
Step 4: Setting Up an Identity Provider in Flexera One
Perform the following steps to set up an identity provider in Flexera One.
To set up an identity provider in Flexera One:
|
2.
|
Go to Administration and click Identity Providers. |
|
3.
|
On the Identity Providers screen: |
|
•
|
If adding a new identity provider, click New Identity Provider. |
|
•
|
If editing an existing identity provider, select your identity provider’s listing on the left and click Edit. |
|
4.
|
In the new identity provider record, click the General tab and complete the following fields. |
Note:To populate some of the following fields in Flexera One, you must copy information from Okta. In Okta’s Admin Console, go to the Applications tab, and select Sign On. In the Settings section, click the View Setup Instructions for SAML 2.0.
|
|
|
|
Name*
|
Enter the display name of your identity provider.
Example: Okta
|
|
IDP SSO URL*
|
In Okta, copy the Identity Provider Single Sign-On URL and paste it into this field.
This URL is the endpoint responsible for receiving SAML AuthnRequest messages. It is also the URL Flexera One’s sign in process uses to verify your users and log them in.
Example:
https://mycompanyname.mysamlprovider.com/app/myorg456_test123/exjo2H0GTZ357/sso/saml
|
|
Issuer URI*
|
In Okta, copy the Identity Provider Issuer and paste it into this field.
This URL is a global unique identifier for SAML entities to your identity provider SAML application setup.
Example:
https://mysamlprovider.com/exjo2H0GTZ357
|
|
Discovery Hint
|
Enter unique values to help users navigate more quickly to your organization’s federated identity provider sign-in page.
Note:If you include special characters in the Discovery Hint, be aware that following characters (including spaces) are the only permissible special characters:
:( )_+-.@
Important:For Okta, if you do not enter a Discovery Hint, you cannot enable service provider-initiated single sign-on. You would need to go to your identity provider and click the Flexera One application to sign in.
|
|
Signature Certificate*
|
Drag and drop to upload, or browse for your Okta Certificate (x.509 certificate) that is used to verify SAML message and assertion signatures.
|
|
Logout Redirect URL
|
When you sign in to Flexera One through your organization's identity provider, you will be directed to a logout redirect URL when your session ends. A Flexera One session may end when you log out or when your session expires due to inactivity. If no logout redirect URL is set, you will be directed to the Flexera One sign in page when your session ends. One suggested use for this feature is to set the logout redirect URL to the homepage of your organization's identity provider. An https:// URL is strongly recommended. However, an http:// URL is also valid).
Note:When the logout redirect URL is changed, it only affects newly created sessions after the update. Any session already active during the update will not be affected by the update. To observe the changed behavior, log out of Flexera One, then sign in to Flexera One again through the identity provider and when that session ends, the new logout redirect value will be active.
|
Note:All fields marked with an asterisk (*) are required.
|
5.
|
If you click the Show Advanced Settings link, the following additional fields are displayed. The default options are noted below for your reference. Changes to these settings are rarely required. You only need to reveal these settings if changes are needed. |
|
|
|
|
Request Binding
|
Select the SAML Authentication Request Protocol binding used by your identity provider to send SAML AuthnRequest messages to the IDP.Enum.
|
•
|
HTTP-POST (This is the default option.) |
|
|
Request Signature Algorithm
|
Select the signature algorithm used to sign SAML AuthnRequest messages sent to the IDP.Enum.
|
•
|
SHA-256 (This is the default option.) |
|
|
Response Signature Algorithm
|
Select the minimum signature algorithm when validating SAML assertions issued by the IDP.Enum.
|
•
|
SHA-256 (This is the default option.) |
|
|
Response Signature Verification
|
Select the protocol to use when authenticating users from this IDP.Enum.
|
•
|
Response or Assertion (This is the default option.) |
|
|
Sign Authorization Request
(optional)
|
Select this option if you wish to have Flexera One enable signing AuthnRequest (authentication) messages to your identity provider. Signing these AuthnRequest messages increases the security of your transactions between your identity provider and Flexera One.
|
•
|
Make sure your identity provider supports verifying AuthnRequests before enabling this feature. |
|
•
|
If you enable this feature, you must go to Creating a New Signing Key and create the Flexera One signing key to submit to your identity provider for verifying authorization requests. |
|
Step 5: Setting Up Okta SSO With SAML 2.0 Using Actual Values
To populate the following fields in Okta, you must copy information from Flexera One.
To set up Okta single sign-on with SAML 2.0 using actual values:
|
1.
|
In Okta’s Admin Console, go to the Applications tab, and select General. |
|
2.
|
In the SAML Settings section, click Edit. |
|
3.
|
On the Edit SAML Integration screen, click Configure SAML. |
For example: https://secure.flexera.com/sso/saml2/<someChars>
|
6.
|
Save all your settings. |
Step 6: Testing the Okta SSO
Perform the following tasks to test the Okta single sign-on:
Adding and Verifying a Domain
To add and verify a domain, perform the following steps.
To add and verify a domain:
Assigning a User or Group to Test the Okta SSO
To test a user or group’s access to the Okta single sign-on, you must assign a user or group email in Okta.
To assign a user or group to test the Okta SSO:
|
1.
|
In Okta’s Admin Console, go to the Applications tab and select Assignments. |
|
3.
|
Click Assign to People or Assign to Groups. |
|
4.
|
Select the appropriate user or group and click Assign. |