Integrate Okta
Learn how to use Okta as the identity provider (IdP) and EAA as the service provider (SP) to access an EAA application. This allows any application in EAA to use Okta as the single sign-on mechanism.
PREREQUISITE
Set up an Okta Developer account.
You can use Okta as the identity provider and EAA as the service provider for accessing an application in EAA by following these steps:
STEP 1: Authenticate EAA with Okta.
STEP 2: Add Okta as an identity provider in EAA.
STEP 3: Assign Okta identity provider to an application and map attributes.
STEP 1: Authenticate EAA with Okta
Learn how to redirect users to the Okta login portal to complete
authentication.
- Create an Okta developer account. Okta offers free developer accounts granting full functionality but limited to 3 applications and 100 users - perfect for lab and testing purposes. Sign up at https://www.okta.com/platform-signup/.
-
Import Active Directory (AD)
users and groups into Okta.
-
Create a new application in
Okta.
- In Okta navigate to the Applications tab and click Applications.
- Click
- Select SAML 2.0 as the sign on method.
- Enter an application name, add an optional logo, and check both boxes under the App visibility section.
- Follow the installation instructions provided to complete the Okta application creation process.
- Once the Okta application has been created, click the Identity Provider metadata link to download the metadata.xml file.
-
Add a new identity provider
(IdP) in EAA.
-
Allow front-end authentication
to be completed by Okta.
STEP 2: Add Okta as an identity provider in EAA
Learn how to add Okta as an idenity provider
in EAA. Depending on the custom application configuration, the Okta-to-Enterprise
Application Access SAML integration currently supports these features,
- IdP-initiated SSO
- SP-initiated SSO
- Just In Time (JIT) provisioning
Note: This setup might fail without parameter values that are customized for your
organization. Please use the Okta Administrator Dashboard to add an application and
view the values that are specific for your organization.
- Add a new identity provider and return to this procedure to configure the general settings.
-
Complete the general
settings.
- Identity intercept. Select either Use your domain or Use Akamai domain. If you select Use your domain EAA provides a CNAME redirect for the application. Use this to configure the CNAME in your external DNS.
- Certificate preference. If you select User your domain, select Use uploaded certificate.
- Akamai cloud zone. Select an EAA cloud zone that is closest to the user base.
- Certificate authentication (optional). To enable client certificate authentication select the checkbox and configure the required parameters.
-
Complete the authentication
configuration settings.
- URL (optional). Enter your Okta subdomain.
- Logout URL. Sign in to the Okta Admin Dashboard to generate this variable then copy and paste it here.
- Sign SAML request (optional). If Okta requires a signed SAML request in a SP-initiated SAML flow, select this checkbox to send the signed SAML assertion to Okta.
- Encrypted SAML response. If Okta sends encrypted SAML responses to EAA when EAA is the SP, select this checkbox to use certificates to encrypt responses.
- Upload IdP metadata file. Download the metadata.xml file for the EAA SAML SP endpoint from the Okta Admin Dashboard then click Choose file.
- Leave the session settings for Session idle expiry, Limit session life, and Max session duration at their default values.
- Click Save and exit.
STEP 3: Assign the Okta identity provider to an application and map attributes
Learn how to configure SSO for an access
application using custom headers and attribute mapping. For access applications, EAA can
provide single sign-on (SSO) using custom headers. EAA uses the various attributes it
receives as part of SAML assertion from OKTA and injects X-forwarded-for headers with
custom attributes.
- Assign identity providers to an application and select Okta as the IdP.
- Click Save.
- Return to the application and select .
-
Configure the attribute
mapping.
- Header name. Enter a header name.
- Attribute. Select custom.
- Enter the SAML attribute names. See the list of Okta supported attributes.
- Click Save.
Next steps
Note: To configure an
IdP-initiated SSO, see Stimulating an IdP-initiated flow with the
Bookmark app and use the EAA application URL in the Okta
Bookmark app URL field.