Configure Access Gateway with Okta Inbound SAML

In this tutorial, we walk through the process of configuring two Okta Orgs to function as an Identity Provider and Service Provide (respectively) that use an application in the Access Gateway.

Requirements

• A configured Okta OrgThe Okta container that represents a real-world organization. to act as an Identity Provider (IdPAn acronym for Identity Provider. It is a service that manages end user accounts analogous to user directories such as LDAP and Active Directory, and can send SAML responses to SPs to authenticate end users. Within this scenario, the IdP is Okta.) for the Access Gateway (and the Service Provider (SPAn acronym for service provider. Generally, an SP is a company, usually providing organizations with communications, storage, processing, and a host of other services. Within Okta, it is any website that accepts SAML responses as a way of signing in users, and has the ability to redirect a user to an IdP (e.g., Okta) to begin the authentication process.) for your true IdP). We will refer to this as the SP throughout the article.

• A configured IdP to federate with your Okta Org. For the puroses of this article, we use another Okta Org. We will refer to this as the IdP throughout the article.

• An Access Gateway instance configured with the SP Okta Org.

• A header application created in the Access Gateway and assigned to the Everyone group.

Create the application in the Okta

1. Log into your Okta Org as an administrator,

2. Navigate to Applications tab, and click Add Application.

   

3. Click Create New AppAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in..
   

4. Select SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IdP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on an app, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. 2.0, and click Create.
   

5. Give the application a name, and click Next.
   

6. Complete the Single sign on URL and Audience URI (SP Entity ID) fields with dummy information, and click Next. We will add the correct information to these fields later.
   

7. Select the I’m an Okta customer adding an internal app option, and click Finish.

   

8. On the Sign On tab, click View Setup Instructions.

   

9. Click Download certificate, and leave the page open for reference.

   

Configure Okta Org

1. Open a separate tab or window in your browser, log into your Okta Org as an administrator, and select Security → Identity Providers.
   

2. Click the Add Identity Provider menu, and then click Add SAML 2.0 IdP.

   

3. In the IdP configuration screen, follow these steps:

   1. Enter a name for the IdP, such as Okta idP.

   2. Select the idpuser.subjectNameId option in the IdP Username menu.

   3. Select the Update attributes for existing users option next to Profile MasterA profile master is an application (usually a directory service such as Active Directory, or human capital management system such as Workday) that acts as a source of truth for user profile attributes. A user can only be mastered by a single application or directory at any one time. For more details, see the Profile Master page. When users are mastered by attribute, we call this attribute-level mastery (ALM). ALM delivers finer grain control over how profiles are mastered by allowing admins to specify different profile masters for individual attributes. Profile mastering only applies to Okta user profiles, not app user profiles. For more details, see Attribute Level Mastering..

   4. Fill in the IdP Issuer URI and IdP Single Sign-On URL values using the information from the previous section.

   5. In the IdP Signature Certificate field, upload the certificate that you downloaded in the previous section.

   6. Click Add Identity Provider.
      

4. Leave this tab or window open for reference in the next section.

   

Configure App in Okta

1. Go back to the application in your Okta Org, click the General tab, and click Edit.

   

2. Click Next on the Edit SAML Integration page.

   

3. Refering to step 4 in the previous section, fill in the information for the Single sign on URL and Audience URI (SP Entity ID) fields.

4. In the Attributes Statements section, complete the fields as shown in the image below:

   

5. Click Finish.
   

Test the Configuration

1. Log in to your Okta Org.
   

2. Launch the Single Header Okta Org application from the dashboard. The Okta Org dashboard should open.

   

3. Launch the Header App from the dashboard.
   

4. Verify the information in the header application.
   

• If you want to launch the Header app from the IdP Okta Org, add the Header App embedded URL from the SP Okta Org to the Default Relay State of the SP Okta Org app in the IdP Okta Org.