Integrate Okta

Learn how to use Okta as the identity provider (IdP) and EAA as the service provider (SP) to access an EAA application. This allows any application in EAA to use Okta as the single sign-on mechanism.

PREREQUISITE

Set up an Okta Developer account.

You can use Okta as the identity provider and EAA as the service provider for accessing an application in EAA by following these steps:

STEP 1: Authenticate EAA with Okta.

STEP 2: Add Okta as an identity provider in EAA.

STEP 3: Assign Okta identity provider to an application and map attributes.

STEP 1: Authenticate EAA with Okta

Learn how to redirect users to the Okta login portal to complete authentication.

  1. Create an Okta developer account. Okta offers free developer accounts granting full functionality but limited to 3 applications and 100 users - perfect for lab and testing purposes. Sign up at https://www.okta.com/platform-signup/.
  2. Import Active Directory (AD) users and groups into Okta.
    1. Log in to the Okta development portal.
    2. Click Admin to access to main Administration UI.
    3. Import users and groups from the Active Directory (AD). Select Directories > Directory Integrations > Add Active Directory.
    4. Follow the on-screen instructions to install and approve the Okta AD Agent onto a host in your AD domain.
    5. Select the users and groups to sync from the AD to Okta. Optionally, select the username format to use during Okta login.
    6. Select the AD user attributes to import to Okta.
    7. Import users. Click Import > Import Now > Full import.
    8. When you import AD users for the first time you need to create associated Okta accounts. Select all imported users and confirm the assignments.
    9. Activate the new user accounts. Select Directory > People.
    10. Filter the list. Select Pending Activation.
    11. Activate all of the new accounts.
      Your People list shows the AD users in an active state.
  3. Create a new application in Okta.
    1. In Okta navigate to the Applications tab and click Applications.
    2. Click Add application > Create new app
    3. Select SAML 2.0 as the sign on method.
    4. Enter an application name, add an optional logo, and check both boxes under the App visibility section.
    5. Follow the installation instructions provided to complete the Okta application creation process.
    6. Once the Okta application has been created, click the Identity Provider metadata link to download the metadata.xml file.
  4. Add a new identity provider (IdP) in EAA.
    1. Return to the EAA Management Portal.
    2. Add a new identity provider and select Okta as the identity provider type.
    3. Upload the metadata.xml file. Optionally, set a Logout URL. See STEP 2: Add Okta as an identity provider in EAA.
    4. Return to the Okta development portal and assign the users or groups that you imported to the application. Click either People or Groups.
      You have an application with your AD users assigned to it.
  5. Allow front-end authentication to be completed by Okta.
    1. In the EAA Management Portal, assign the Okta directory to an EAA application. See Assign a directory to an application. Click Change service and select the Okta directory.
    2. Deploy the application.
      Users will not be redirected to the Okta login portal to complete authentication.

STEP 2: Add Okta as an identity provider in EAA

Learn how to add Okta as an idenity provider in EAA. Depending on the custom application configuration, the Okta-to-Enterprise Application Access SAML integration currently supports these features,
Note: This setup might fail without parameter values that are customized for your organization. Please use the Okta Administrator Dashboard to add an application and view the values that are specific for your organization.

  1. Add a new identity provider and return to this procedure to configure the general settings.
  2. Complete the general settings.
    1. Identity intercept. Select either Use your domain or Use Akamai domain. If you select Use your domain EAA provides a CNAME redirect for the application. Use this to configure the CNAME in your external DNS.
    2. Certificate preference. If you select User your domain, select Use uploaded certificate.
    3. Akamai cloud zone. Select an EAA cloud zone that is closest to the user base.
    4. Certificate authentication (optional). To enable client certificate authentication select the checkbox and configure the required parameters.
  3. Complete the authentication configuration settings.
    1. URL (optional). Enter your Okta subdomain.
    2. Logout URL. Sign in to the Okta Admin Dashboard to generate this variable then copy and paste it here.
    3. Sign SAML request (optional). If Okta requires a signed SAML request in a SP-initiated SAML flow, select this checkbox to send the signed SAML assertion to Okta.
    4. Encrypted SAML response. If Okta sends encrypted SAML responses to EAA when EAA is the SP, select this checkbox to use certificates to encrypt responses.
    5. Upload IdP metadata file. Download the metadata.xml file for the EAA SAML SP endpoint from the Okta Admin Dashboard then click Choose file.
  4. Leave the session settings for Session idle expiry, Limit session life, and Max session duration at their default values.
  5. Click Save and exit.

STEP 3: Assign the Okta identity provider to an application and map attributes

Learn how to configure SSO for an access application using custom headers and attribute mapping. For access applications, EAA can provide single sign-on (SSO) using custom headers. EAA uses the various attributes it receives as part of SAML assertion from OKTA and injects X-forwarded-for headers with custom attributes.

  1. Assign identity providers to an application and select Okta as the IdP.
  2. Click Save.
  3. Return to the application and select Advanced settings > Custom HTTP headers.
  4. Configure the attribute mapping.
    1. Header name. Enter a header name.
    2. Attribute. Select custom.
    3. Enter the SAML attribute names. See the list of Okta supported attributes.
  5. Click Save.

Next steps

Deploy the application for the changes to go into effect.
Note: To configure an IdP-initiated SSO, see Stimulating an IdP-initiated flow with the Bookmark app and use the EAA application URL in the Okta Bookmark app URL field.