Configure Okta as a Third-Party IdP with SOTI Identity
Before you begin
Set up and verify a domain to use with this Okta IdP connection. Read more at Add Domains.
About this task
If you already have a set of users with Okta, you can configure SOTI Identity to delegate authentication and authorization to Okta rather than recreate an existing set of users and structures.
Procedure
- In the SOTI Identity Admin Console, open the main menu and select Directories/IDP.
- Select Create Connection dialog box. to open the
- Select SAML Based IdP.
- Select Downloads in the upper right corner of the Configure IdP dialog box and download the Identity Metadata and Identity Certificate to your computer.
- Open another browser tab and log into the Okta administration console as an administrator.
- In Applications, select Add Applications.
- Select Create New App to launch the Create a New Application Integration wizard.
-
Select Web as the Platform and
then choose SAML 2.0. Select
Create.
The Create a New Application Integration window closes and Create SAML Integration page opens.
- Enter a name for your app, like SOTI Identity 1, and select Next.
-
Open the SOTI Identity metadata file you downloaded earlier in a text editor. Copy the AssertionConsumerService Location attribute value and paste it into the Single sign on URL field.
Note: Enter the exact values from the metadata XML file, with no trailing spaces.
- Copy the m:EntityDescriptor entityID attribute value into Audience URI (SP Entity ID).
-
Under the Attribute Statements section, update the
attribute statements to match the table below. Leave all name formats as
unspecified. Select Add Another to add a new attribute
statement.
Name Name format (optional) Value First Name Unspecified user.firstName Last Name Unspecified user.lastName Email Unspecified user.email -
Under the Group Attribute Statements (Optional) section, add the following group attribute statement.
Name Name Format (optional) Filter Filter value Group Unspecified Filters give you the option to fetch the attribute using one of the following methods. Choose one of:
- Starts with
- Equals
- Contains
- Matches Regex
Enter the connection name. - Select Next.
- In the Feedback tab of the SAML Integration page, indicate whether you are an Okta customer or partner and then provide Okta with feedback or simply select Finish.
- Open the Sign On tab and open View Setup Instructions.
- Copy the details for Identity Provide Single Sign-On URL and Identity Provider Issuer into a text editor and save it as an .xml file.
- Under the X.509 Certificate field, select Download certificate to save it to your computer.
-
Open the Assignments tab and from the
Assign list, select either:
- Assign to People
- Assign to Group
- Select Done.
- Return to the SOTI Identity console and the Configure IdP dialog box.
- Give the Okta connection a name.
- Paste the Identity Provider Issuer value you copied from Okta into the IdP Entity ID field.
- Paste the Identity Provider Single Sign-One URL you copied from Okta into the SSO URL field.
-
Select one or more domains from the Select Domain
list.
Domains control who can (or cannot) log into a SOTI Identity account and its associated applications. Each SAML-based connection is mapped to at least one domain.
Only verified domains appear in this list. If you have not set up a verified domain yet, select Manage Domains. The page redirects to the Domains view where you can add and verify domains. You are going to lose your current draft connection.
- Select New to upload the X.509 certificate you downloaded from Okta to SOTI Identity.
-
Enter the User attributes into the Email, First Name, Last Name and MemberOf fields which correspond to the custom attribute mapping within Okta.
Note: Make sure you map the value of Member Of to "Group" and that none of the fields include trailing spaces. All entries must match exactly.
- Select Create to save the new Okta IdP connection.
- In the SOTI Identity Admin Console, open the main menu and select Users.
- Select your Okta IDP in the Directory list.
- Select Groups.
- Select in the upper right corner of the console.
- In the Add IDP User Groupwindow, select External IDP Group.
- Type a name for the new IDP group.
- Optional:
Make all users in the group SOTI Identity account administrators. Leave unselected if the users only need access to other SOTI ONE applications.
Note: Account administrators can manage and modify all settings in your SOTI Identity console and account so you should be careful who you make an account administrator.
- Select Add to add the IdP group to SOTI Identity.
Results
You have connected your Okta connection to SOTI Identity. Users in the groups you just added receive an email that notifies them that they have been enrolled in SOTI Identity. However, they do not have access to any applications until you assign one.
What to do next
Assign applications to Okta user groups.