Administer Identity Providers

Identity Providers (IDP) provide:

  • Identity federation between Access Gateway and Okta tenants/local identity providers.
  • Services such as:
    • Authorization and authentication support.
    • Application data for identification and policy decisions.

This guide describes Access Gateway Identity Providers and how they can be created, used, and managed.

Adding an Okta Identity Provider

To add an Okta tenant as an IDP:

  • Add an Okta Service Account
  • Create an API Token
    • and then
  • Configure an IDP in the Access Gateway Admin UI console

Add an Okta Service Account

  1. In your browser, navigate to your Okta org and sign in as an administrator.

    Tip

    Best Practice

    Okta recommends creating a specific Service Account in Okta to create the Access Gateway API key. This is important because every action performed by an API key is logged under the user that created the key. In the interest of maintaining accurate logs, a dedicated Access Gateway Service Account is recommended.

  2. In the Admin Console, go to Directory > People.
  3. Click Add Person.
  4. In the Service Account name fields, enter the first and last name.
  5. In the Username and Primary email fields, enter a dummy email . For example, service.admin@domain.com.
    Tip

    Best Practice

    Use a dummy value for the Username and Primary email fields so that there is no interference between the service account and your own account in the event of a password reset request. Adding your own email address to the Secondary email field ensures you can activate and maintain the service account.

  6. In the Secondary email field, enter your valid administrator email.
  7. Select the Send user activation email check box, and click Save. You should now see your newly created Service Account under the Activated people tab with a Password reset status.
  8. In the Admin Console, go to Security >Administrators section.
  9. Click Add Administrator.
  10. In the Grant administrator role to field, enter the name of the service account created earlier.
  11. Select the Super Administrator check box, and click Add Administrator. You should now have two Super Administrator accounts.
  12. Sign out of your Okta Admin Account.
  13. In your email, open the Service Account Activation Email you received from Okta and click the Activation link.
  14. Set a password and a security question, and select an account security image.
  15. Upon completion, sign in with the new Service Account credentials.

Create an Okta API Token

  1. Navigate to your Okta org.

  2. In the Admin Console, go to Security >API .

  3. On the API page, click Create Token.

  4. Enter a Token Name in the dialog box, and click Create Token.

    Tip

    Tip:

    Use a name that easily identifies the token’s purpose. In this case, the token is being used in the Access Gateway appliance, so including or Access Gateway, OAG, or other relevant information is recommended.

  5. Copy the displayed Token Value in a safe place.
    6. Caution

    Caution:

    Once you close the pop-up window, you can never display the token value again.
    Ensure you copy the token to a safe, secure location (such as a password manager or secure note database) for future reference.

  6. Click Ok, got it.

Configure IDP in Access Gateway

  1. In your browser, navigate to the Access Gateway Admin UI console and sign in as an administrator.
  2. Select the Settings tab.
  3. Click the Identity Providers pane.
  4. Click + and select OKTA.
  5. In the Name field, enter the name of an app.
  6. In the Okta Org URL and Okta API Token fields, enter the values generated earlier.configure-idp-okta.08.png
  7. Click Not Validated.
    Once the Okta API Token is validated successfully, the Not Validated button changes to Validated
  8. Click Okay. The Settings tab displays your Okta IDP status.
  9. Verify that it displays the status as Valid.
    configure-idp-okta.09.png
  10. Navigate to the Topology tab to test the IDP’s connection.
  11. Click the Okta IDP icon to be redirected to your Okta tenant.

    configure-idp-okta.10.png

Adding a Local IDP

To add a local IDP:

  1. In your browser, navigate to the Access Gateway Admin UI console and sign in as an administrator.
  2. Select the Settings tab.
  3. Click the Identity Providers pane.
  4. Click + and select Local SAML IDP.
  5. Enter the following fields:

    Field

    Description

    Example

    Name

    Required. Unique name that identifies the IDP. Displays in the list of IDPs.

    My Local IDP

    Host

    Required. A uniqueAccess Gateway hosted domain. It must not match any others.

    idp.domain.tld

    Cookie Domain

    Required. A unique Access Gatewayy hosted domain name. This must not match existing Access Gateway domain names.

    domain.tld

    Default Auth Module

    Required. A previously created Auth Module.

    See Administer Auth Modules for more information.

    Name Attribute

    Required. Attribute to be obtained from the remote Active Directory.

    email

    Name Attribute Format

    Required. Defines the Name Format used in the SAML assertion. Select one of the values from the drop-down list.

    Email address

  6. Click Okay to complete creation of the IDP or Cancel to cancel.
  7. After any creation of update all Identity Providers will be validated. Valid identity provider will show status Valid ().

Related topics

  • Manage Authorization Modules. For more information see Administer Auth Modules.
  • Use attributes in applications. For more information see Application attributes.
  • Use behaviors in applications. For more information see About application behaviors.