Configure Access Gateway with Okta Inbound SAML
In this tutorial, we walk through the process of configuring two Okta Orgs to function as an Identity Provider and Service Provide (respectively) that use an application in the Access Gateway.
Requirements
-
A configured Okta OrgThe Okta container that represents a real-world organization. to act as an Identity Provider (IdPAn acronym for Identity Provider. It is a service that manages end user accounts analogous to user directories such as LDAP and Active Directory, and can send SAML responses to SPs to authenticate end users. Within this scenario, the IdP is Okta.) for the Access Gateway (and the Service Provider (SPAn acronym for service provider. Generally, an SP is a company, usually providing organizations with communications, storage, processing, and a host of other services. Within Okta, it is any website that accepts SAML responses as a way of signing in users, and has the ability to redirect a user to an IdP (e.g., Okta) to begin the authentication process.) for your true IdP). We will refer to this as the SP throughout the article.
-
A configured IdP to federate with your Okta Org. For the puroses of this article, we use another Okta Org. We will refer to this as the IdP throughout the article.
-
An Access Gateway instance configured with the SP Okta Org.
-
A header application created in the Access Gateway and assigned to the Everyone group.
Create the application in the Okta
-
Log into your Okta Org as an administrator,
-
Navigate to Applications tab, and click Add Application.
-
Click Create New AppAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in..
-
Select SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IdP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on an app, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. 2.0, and click Create.
-
Complete the Single sign on URL and Audience URI (SP Entity ID) fields with dummy information, and click Next. We will add the correct information to these fields later.
-
Select the I’m an Okta customer adding an internal app option, and click Finish.
-
On the Sign On tab, click View Setup Instructions.
-
Click Download certificate, and leave the page open for reference.
Configure Okta Org
-
Open a separate tab or window in your browser, log into your Okta Org as an administrator, and select Security → Identity Providers.
-
Click the Add Identity Provider menu, and then click Add SAML 2.0 IdP.
-
In the IdP configuration screen, follow these steps:
-
Enter a name for the IdP, such as Okta idP.
-
Select the idpuser.subjectNameId option in the IdP Username menu.
-
Fill in the IdP Issuer URI and IdP Single Sign-On URL values using the information from the previous section.
-
In the IdP Signature Certificate field, upload the certificate that you downloaded in the previous section.
-
-
Leave this tab or window open for reference in the next section.
Configure App in Okta
-
Go back to the application in your Okta Org, click the General tab, and click Edit.
-
Click Next on the Edit SAML Integration page.
-
Refering to step 4 in the previous section, fill in the information for the Single sign on URL and Audience URI (SP Entity ID) fields.
-
In the Attributes Statements section, complete the fields as shown in the image below:
Test the Configuration
-
Launch the Single Header Okta Org application from the dashboard. The Okta Org dashboard should open.
-
If you want to launch the Header app from the IdP Okta Org, add the Header App embedded URL from the SP Okta Org to the Default Relay State of the SP Okta Org app in the IdP Okta Org.