Configuring Administration Access using SAML

The purpose of this guide is to walk through the configuration of Access Gateway with an Okta tenant such that the Gateway AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. UI accepts a SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IDP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on a chiclet, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. token for Okta for authentication. We will also create an application tile on the Okta Applications page for administrator use to access the Gateway Administration UI.

This procedure assumes you have a Access Gateway instance installed and configured as well as an Okta tenant.

Integrate with Okta

Create a Token

  1. In your browser, Navigate to your Okta OrgThe Okta container that represents a real-world organization. and Login as an Administrator.

  2. Click Security > API.

  3. Select the Tokens tab.

  4. Click the Create Token.

  5. Enter an appropriate name for the token.  For example OAG Admin Access Token.
    Note: All access to the Okta Access Gateway will be tracked using this token name.

  6. Select and copy the token value.
    Note: Token text is only available during creation. You will NOT be able to retrieve the text of the token at a later time.

Add an Okta idP

  1. In your browser, navigate to the Okta Access Gateway UI as Admin

  2. Click Settings.

  3. Select the Identity Providers tab.

  4. In the Identify Providers pane click the + icon and select Okta.

  5. Select the Identity Providers tab.

  6. Complete the Add New Okta IDPAn acronym for Identity Provider. It is a service that manages end user accounts analogous to user directories such as LDAP and Active Directory, and can send SAML responses to SPs to authenticate end users. Within this scenario, the IdP is Okta. step by providing the following values

    Attribute Value
    Name A descriptive name
    Okta Org Your Okta Org URL. For example,
    Okta API Token API Token copied previously
    Description An appropriate description
  7. Click Not Validated.
    Note: If your token can be successfully validated then the yellow Not Validated button will become a green Validated button.

  8. Click Okay.

Configure SAML for Administrative access

  1. In your browser, return to your Okta org as Administrator.

  2. Navigate to Directory > GroupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups..

  3. Click Add Group.

  4. In the Add Group dialog name the group and add a description, then click Add Group.

  5. Click the name of the newly added group.

  6. Click Manage People and add all users who should be able to administer Okta Access Gateway.

  7. When complete, click Save.

  8. Return to the previously open Okta Access Gateway browser window.

  9. Select the Application tab.

  10. On the row representing the previously added idP, click Add.

  11. From the list of applications select Access Gateway AdminUI and click Create.

  12. In the Essentials section configure the following values and then click Next.

    Attribute; Value
    Label OAG Admin Consols
    Public DomainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https). gw-admin.<yourdomain>
    Groups OAG Admin (group created previously)
    Description Ann appropriate descruiptin
  13. Click Next. The Attributes tab is displayed.

  14. Click Next. The Policies tab is displayed.

  15. Click Done.

  16. Log out of the OAG Admin UI Console.

Final Steps

  1. Login to your Okta org as a user in the previously created OAG Admin group.
  2. You should see a notification has been added to the Okta Access Gateway Admin Console.
  3. Click the application tile and you will belogged into the Okta Access Gateway as an administrator.