Configure Okta as a Third-Party IdP with SOTI Identity

Before you begin

Set up and verify a domain to use with this Okta IdP connection. Read more at Add Domains.

About this task

If you already have a set of users with Okta, you can configure SOTI Identity to delegate authentication and authorization to Okta rather than recreate an existing set of users and structures.

Note: This procedure includes steps to perform in an external tool and is subject to change without notice.

Procedure

Download SOTI Identity metadata
  1. In the SOTI Identity Admin Console, open the main menu and select Directories/IDP.
  2. Select New Directory > IdP Connection to open the Create Connection dialog box.
  3. Select SAML Based IdP.
  4. Select Downloads in the upper right corner of the Configure IdP dialog box and download the Identity Metadata and Identity Certificate to your computer.
Configure Okta
  1. Open another browser tab and log into the Okta administration console as an administrator.
  2. In Applications, select Add Applications.
  3. Select Create New App to launch the Create a New Application Integration wizard.
  4. Select Web as the Platform and then choose SAML 2.0. Select Create.
    The Create a New Application Integration window closes and Create SAML Integration page opens.
  5. Enter a name for your app, like SOTI Identity 1, and select Next.
  6. Open the SOTI Identity metadata file you downloaded earlier in a text editor. Copy the AssertionConsumerService Location attribute value and paste it into the Single sign on URL field.
    Note: Enter the exact values from the metadata XML file, with no trailing spaces.
  7. Copy the m:EntityDescriptor entityID attribute value into Audience URI (SP Entity ID).
  8. Under the Attribute Statements section, update the attribute statements to match the table below. Leave all name formats as unspecified. Select Add Another to add a new attribute statement.
    Name Name format (optional) Value
    First Name Unspecified user.firstName
    Last Name Unspecified user.lastName
    Email Unspecified user.email
  9. Under the Group Attribute Statements (Optional) section, add the following group attribute statement.
    Name Name Format (optional) Filter Filter value
    Group Unspecified Filters give you the option to fetch the attribute using one of the following methods.

    Choose one of:

    • Starts with
    • Equals
    • Contains
    • Matches Regex
    		 Enter the connection name.
  10. Select Next.
  11. In the Feedback tab of the SAML Integration page, indicate whether you are an Okta customer or partner and then provide Okta with feedback or simply select Finish.
  12. Open the Sign On tab and open View Setup Instructions.
  13. Copy the details for Identity Provide Single Sign-On URL and Identity Provider Issuer into a text editor and save it as an .xml file.
  14. Under the X.509 Certificate field, select Download certificate to save it to your computer.
  15. Open the Assignments tab and from the Assign list, select either:
    • Assign to People
    • Assign to Group
  16. Select Done.
Import Okta metadata into SOTI Identity
  1. Return to the SOTI Identity console and the Configure IdP dialog box.
  2. Give the Okta connection a name.
  3. Paste the Identity Provider Issuer value you copied from Okta into the IdP Entity ID field.
  4. Paste the Identity Provider Single Sign-One URL you copied from Okta into the SSO URL field.
  5. Select one or more domains from the Select Domain list.
    Domains control who can (or cannot) log into a SOTI Identity account and its associated applications. Each SAML-based connection is mapped to at least one domain.

    Only verified domains appear in this list. If you have not set up a verified domain yet, select Manage Domains. The page redirects to the Domains view where you can add and verify domains. You are going to lose your current draft connection.

  6. Select New to upload the X.509 certificate you downloaded from Okta to SOTI Identity.
  7. Enter the User attributes into the Email, First Name, Last Name and MemberOf fields which correspond to the custom attribute mapping within Okta.
    Note: Make sure you map the value of Member Of to "Group" and that none of the fields include trailing spaces. All entries must match exactly.
  8. Select Create to save the new Okta IdP connection.
Add an Okta User Group to SOTI Identity
Note: You can only add user groups and not individual users in SAML Based IdP connections.
  1. In the SOTI Identity Admin Console, open the main menu and select Users.
  2. Select your Okta IDP in the Directory list.
  3. Select Groups.
  4. Select New User Group in the upper right corner of the console.
  5. In the Add IDP User Groupwindow, select External IDP Group.
  6. Type a name for the new IDP group.
  7. Optional: Make all users in the group SOTI Identity account administrators. Leave unselected if the users only need access to other SOTI ONE applications.
    Note: Account administrators can manage and modify all settings in your SOTI Identity console and account so you should be careful who you make an account administrator.
  8. Select Add to add the IdP group to SOTI Identity.

Results

You have connected your Okta connection to SOTI Identity. Users in the groups you just added receive an email that notifies them that they have been enrolled in SOTI Identity. However, they do not have access to any applications until you assign one.

What to do next

Assign applications to Okta user groups.