Okta SAML SSO
Overview
This page will explain how to integrate the Okta SAML SSO login process for SureView.
The examples below will use an Okta developer account, an official Okta Account should be used for the production environment.
IMPORTANT - The SureView / Okta integration should be performed by a System Admin User who is experienced with the Okta Account Security Process.
For demo purposes, a Okta developer account can be used - https://developer.okta.com/signup/
Installation
The installation is done in four stages:
Stage 1 - adding the SureView service to the Okta Account Applications (on the Okta website).
Stage 2 - setting up SureView (using the System Settings page) to enable Okta SAML SSO login.
Stage 3 - updating the SureView Data Service file AppSettings.json "CORSAllowOrigin" attribute to include the Okta server address which sends the SAML response for User authentication.
Stage 4 - assigning SureView Users to the Okta SureView app.
Stage 1 - adding SureView to the Okta Account Applications:
-
The SureView App needs to be added to the Okta Applications (via the Okta account 'Create a new app integration') using the SAML 2.0 Sign-on method
-
Use default settings for the App integration
-
The 'Okta Username' option should be selected for the SAML setting Application Username
Stage 2 - setting up SureView to enable Okta SAML SSO login:
-
Login into SureView
-
Open the 'System Settings' page from the menu options
-
Select the Security Setting and Security sub-option
-
Select the System Area for the Areas
System settings example:
- Enable the System Setting 'SSO Enabled' checkbox
- Set the System Setting 'SSO Provider Type' to 2 (Okta SAML)
-
Set the System Setting 'SSO Client ID' to the string value entered into the Okta SureView Application above in stage 1 - Audience URI (SP Entity ID)
-
Set the System Setting 'SSO Endpoint' to the string value presented in the Okta SureView Application above in stage 1 - Identity Provider Single Sign-On URL
Example:
- Set the System Setting 'SSO Client Secret' to the string value presented in the Okta SureView Application above in stage 1 - X.509 Certificate
VERY IMPORTANT - only copy the certificate string contents, do not include the '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' strings or any spaces.
Example:
- Set the System Setting 'SSO SAML Endpoint' string value using the following format - {sureview_server_address}/API/login/ProviderOktaResponse
Example:
-
The System Setting 'SSO SAML Endpoint' string value should also be used for the Okta SureView Application settings - Single Sign On URL, Recipient URL and Destination URL
-
The System Setting 'SSO Redirect URL' should be set to the server Event Queue page
-
Optional - enable the System Setting 'SSO Auto Redirect' checkbox if Users should be automatically logged in via the Okta SAML SSO when landing on the SureView start page (login)
Stage 3
Update the SureView Data Service file AppSettings.json "CORSAllowOrigin" attribute to include the Okta server address which sends the SAML response for User authentication.
For example:
"CORSAllowOrigin":"https://*.sureviewsystems.com,https://dev-23749209.okta.com "
A iisreset
is required for the SureView Data Service after the AppSettings.json file has been updated.
Stage 4 - assign Okta Users (who are also SureView Users) to the Okta SureView Application:
-
Select the SureView app in the Okta Account Applications
-
Select the 'Assignments' tab on the Okta SureView Application page
-
Select the 'Assign / Assign People' option and add Okta Users are needed
-
For each User, make sure the 'Edit User Assignment - User Name' string entry is the same as their SureView User Username.
-
New Okta Users can be invited via the Okta Account Directory / People sections
Testing
The System Settings above for the Okta SAML SSO login are cached. The default cache time is set to 30 minutes, and can be changed in the CacheSettings section of the Appsettings.json found in the API folder.
"CacheSettings": {
"SingleSignOnCacheExpiryTimeMins": 30
}
If the cache settings need to be updated before the cache period has expired, then an IISRESET is required.
Once everything has been set-up, there will be a new Okta login button on the SureView start landing page (login):
Selecting the Okta Login button will start the SureView Okta Login Authentication process:
-
A new browser window will open using the URL of the System Setting SSO Endpoint (this is the SAML request from SureView being sent to Okta)
-
If the User is already logged into their Okta account then Okta will automatically send a SAML response to the SureView server and the new browser window will close automatically
-
If the User is not logged into their Okta account then the new browser window will have a Okta Login Page for the User to enter their details and login, once this has been successfuly done then Okta will send a SAML response to the SureView server and the new browser window will close automatically
-
The Okta SAML response will be validated and the User will be automatically logged into SureView if the login details are correct (Okta User has an associated valid SVS username)
Comments
0 comments
Please sign in to leave a comment.