Learn how to use Okta as the identity provider (IdP) and EAA as the service provider (SP) to access an EAA application. This allows any application in EAA to use Okta as the single sign-on mechanism.
You can use Okta as the identity provider and EAA as the service provider for accessing an application in EAA by following these steps:
STEP 1: Authenticate EAA with Okta.
STEP 2: Add Okta as an identity provider in EAA.
STEP 3: Assign Okta identity provider to an application and map attributes.
STEP 1: Authenticate EAA with Okta
- Create an Okta developer account. Okta offers free developer accounts granting full functionality but limited to 3 applications and 100 users - perfect for lab and testing purposes. Sign up at https://www.okta.com/platform-signup/.
Import Active Directory (AD)
users and groups into Okta.
- Log in to the Okta development portal.
- Click Admin to access to main Administration UI.
- Import users and groups from the Active Directory (AD). Select .
- Follow the on-screen instructions to install and approve the Okta AD Agent onto a host in your AD domain.
- Select the users and groups to sync from the AD to Okta. Optionally, select the username format to use during Okta login.
- Select the AD user attributes to import to Okta.
- Import users. Click .
- When you import AD users for the first time you need to create associated Okta accounts. Select all imported users and confirm the assignments.
- Activate the new user accounts. Select .
- Filter the list. Select Pending Activation.
Activate all of the new
Your People list shows the AD users in an active state.
Create a new application in
- In Okta navigate to the Applications tab and click Applications.
- Select SAML 2.0 as the sign on method.
- Enter an application name, add an optional logo, and check both boxes under the App visibility section.
- Follow the installation instructions provided to complete the Okta application creation process.
- Once the Okta application has been created, click the Identity Provider metadata link to download the metadata.xml file.
Add a new identity provider
(IdP) in EAA.
- Return to the EAA Management Portal.
- Add a new identity provider and select Okta as the identity provider type.
- Upload the metadata.xml file. Optionally, set a Logout URL. See STEP 2: Add Okta as an identity provider in EAA.
Return to the Okta
development portal and assign the users or groups that you imported to
the application. Click either People or
You have an application with your AD users assigned to it.
- Allow front-end authentication to be completed by Okta.
STEP 2: Add Okta as an identity provider in EAA
- Add a new identity provider and return to this procedure to configure the general settings.
Complete the general
- Identity intercept. Select either Use your domain or Use Akamai domain. If you select Use your domain EAA provides a CNAME redirect for the application. Use this to configure the CNAME in your external DNS.
- Certificate preference. If you select User your domain, select Use uploaded certificate.
- Akamai cloud zone. Select an EAA cloud zone that is closest to the user base.
- Certificate authentication (optional). To enable client certificate authentication select the checkbox and configure the required parameters.
Complete the authentication
- URL (optional). Enter your Okta subdomain.
- Logout URL. Sign in to the Okta Admin Dashboard to generate this variable then copy and paste it here.
- Sign SAML request (optional). If Okta requires a signed SAML request in a SP-initiated SAML flow, select this checkbox to send the signed SAML assertion to Okta.
- Encrypted SAML response. If Okta sends encrypted SAML responses to EAA when EAA is the SP, select this checkbox to use certificates to encrypt responses.
- Upload IdP metadata file. Download the metadata.xml file for the EAA SAML SP endpoint from the Okta Admin Dashboard then click Choose file.
- Leave the session settings for Session idle expiry, Limit session life, and Max session duration at their default values.
- Click Save and exit.
STEP 3: Assign the Okta identity provider to an application and map attributes
- Assign identity providers to an application and select Okta as the IdP.
- Click Save.
- Return to the application and select .
Configure the attribute
- Header name. Enter a header name.
- Attribute. Select custom.
- Enter the SAML attribute names. See the list of Okta supported attributes.
- Click Save.