Introduction

In conditions when it is required SSO functionality for an application server that cannot be part of the Domain (Active Directory), OKTA gives an option to use SAML Authentication.
Detailed information regarding OKTA and SAML can be found here
https://www.okta.com/integrate/documentation/saml/

Requirements

OKTA Endpoint accessible by clients (EPC users)
DNS alias for EPC 11.4 Server host
SSL certificate for EPC 11.4 Server communication encryption
OKTA Certificate

OKTA Configuration

Giving the fact that there is a DNS alias defined for EPC Server (ex. epc.company.com – used in the following examples), we will need to create an application in OKTA.

Create Application
1. Open OKTA Admin Management console and switch to Classic UI

2. Click on Applications link and on the Add Application button after that

3. Click on the button “Create New App”

4. Select Platform to be “Web” and select SAML 2.0 protocol and click Create

5. In the App name field enter the name for the configuration
Example: EPC Server and click Next


Configure the SAML Settings
General Settings:

  • Single sign on URL with path – the URL of EPC Server, ex. https://epc.company.com/login
  • Leave the Check mark on “Use this for Recipient URL and Destination URL” Enabled
  • Audience URI – same as above Single sign on URL
  • Default RelayState – leave blank
  • Name ID format – leave “Unspecified”
  • Application username – leave “Okta username”
  • Update application username on – leave “Create and update”

Expand Advanced Settings and set the following options:

  • Response – leave “Signed”
  • Assertion Signature – leave “Signed”
  • Signature Algorithm – leave “RSA-SHA256”
  • Digest Algorithm – leave “SHA256”
  • Assertion Encryption – leave “Unencrypted”
  • Enable Single Logout – leave selected
  • Single Logout URL – set to logout URL: ex https://epc.company.com/login/local
  • SP Issuer – leave blank
  • Signature Certificate – optional – request Interfacing IT if needed
  • Authentication context class – leave “PasswordProtectedTransport”
  • Honor Force Authentication – leave “Yes”
  • SAML Issuer ID – leave default

Attribute Statements:
Add the following attribute mappings:
• samlUserIdProp – user.login
• samlEmailProp – user.email
• samlFirstNameProp – user.firstName
• samlLastNameProp – user.lastName

Group Attribute Statements: Leave blank

Download Okta Certificate and continue
Click on the button on the right side of the SAML configuration to download the Okta Certificate (this will be required during the EPC Configuration) and Click Next button at the bottom

Edit the downloaded certificate with notepad, remove the header first line and footer last line. Remove all the line returns. You should have in one line – the certificate String only. Save the Certificate string for later, it will be required for EPC configuration.

Select the type of Okta relationship you have and click Finish

Enable On-Premise provisioning in application Settings Click on General tab for the application you just created and click edit

Enable the option “Enable on-premise provisioning” and click Save

Save the App Embed link to a notepad from the Application General Tab – App Embed Link section

Assign people or groups to the Application Switch to Assignments Tab for your application and assign to the application all the people from your organization that will have rights to use the EPC Application

EPC 11.4 Configuration

In order to configure the EPC Web portal to use SAML authentication, kindly follow the following steps
1. Open the EPC Web portal
2. Switch to System Admin page
3. Open the System Setting tab
4. Edit the property “PASSPORT_SAML”

Update the value according to the bellow configuration:
{
“entryPoint”: ““,
“issuer”: “https://epc.company.com”,
“callbackUrl”: “https://epc.company.com/login/saml”,
“privateCert”: “”,
“certString”:”“,
“authnContext”: “urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport”,
“acceptedClockSkewMs”: -1,
“identifierFormat”: null,
“signatureAlgorithm”: “sha256”,
“logoutUrl”: ““,
“additionalLogoutParams”: {“wa”: “wsignout1.0”},
“logoutCallbackUrl”: “https://epc.company.com/login”,
“nameIDFormat”: “NXOqskznZinwixe”,
“samlUserIdProp”: “samlUserIdProp”,
“justInTime”: true,
“samlFirstNameProp”: “samlFirstNameProp”,
“samlLastNameProp”: “samlLastNameProp”,
“samlEmailProp”: “samlEmailProp”
}

Example of configuration:
{
“entryPoint”: “https://dev-XXXXXX.oktapreview.com/home/interfacingtechnologiesdevXXXXXX_epcserver_1/nIX1k2ubxK3xb0h7/8hNX12kl83KLBX2ikb3i5Q0h7”,
“issuer”: “https://epc.interfacing.com”,
“callbackUrl”: “https://epc.interfacing.com/login/saml”,
“privateCert”: “”,
“certString”:“MIIDpDCCAoygAwIBAgIGAWRMqFDmMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi02MzQ0NzQxHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMTgwNjI5MTc0NjM2WAQEAzFH/8XdPDUZvKlXcwMcO0Pu0/35UJx9Lad03g/Kv1ZFZh4FglRV1zuZfDpEC3zi2J5jDugvv/DsSYEJldum90PuqdzrP3tmL9q35TY8+Qc9JGHwChLaIcDHjJ7bF8aCvfpUYXqbQXkTSon”,
“authnContext”: “urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport”,
“acceptedClockSkewMs”: -1,
“identifierFormat”: null,
“signatureAlgorithm”: “sha256”,
“logoutUrl”: “https://dev-XXXXXX.oktapreview.com/login/default”,
“additionalLogoutParams”: {“wa”: “wsignout1.0”},
“logoutCallbackUrl”: “https://epc.interfacing.com/login”,
“nameIDFormat”: “NXOqskznZinwixe”,
“samlUserIdProp” : “samlUserIdProp”,
“justInTime”: true,
“samlFirstNameProp”: “samlFirstNameProp”,
“samlLastNameProp”: “samlLastNameProp”,
“samlEmailProp”: “samlEmailProp”
}
*
Edit the property “PASSPORT_STRATEGY_TO_USE”*
Set the value to be SAML (instead of LOCAL) and save

Apply the EPC configuration
Click the button “Copy Link and Apply the Changes”

Restart the webapp docker
Execute on the EPC Frontend server the following command
#’ docker restart docker_webapp_1

Besoin d'aide supplémentaire avec ce sujet?
Visit the Support Portal

Merci pour vos commentaires.