Setup SAML SSO Integration for CSAP using Okta
Single sign-on (SSO) is a method for authenticating users where a single set of credentials can be used to log into several different applications. In CSAP, using Okta as an Identity Provider (IdP) admin can enable SSO using Security Assertion Markup Language (SAML). SAML is an XML-based protocol used for exchanging, authenticating and authorizing data between applications. Within the SAML workflow, Okta acts as IdP and CSAP as the Service Provider (SP). With SSO, you use one password to access all of your applications, which reduces password fatigue.
Before you start
Make sure you have the admin role assigned.
Steps
To integrate SMAL based SSO for CSAP using Okta, follow the below steps:
Create users in the CSAP application with the email as per the SSO. See Add Privileged Users.
Fetch Assertion Consumer URL and Entity ID from CSAP.
Configure SAML 2.0 App and generate self-signed certificate for CSAP on Okta.
Configure SAML for Okta on CSAP.
Sign in to CSAP using Okta.
Fetch Assertion Consumer URL and Entity ID from CSAP
To fetch the Assertion Consumer URL and Entity ID from the CSAP application, follow below steps:
Sign in to the CSAP application as admin.
In the Integration module, select Authentication Methods > Analyst Dashboard > SAML 2.0.
Copy the Assertion Consumer URL and Entity ID. You need to enter these values while setting up the SAML 2.0 app in Okta.
Configure SAML 2.0 for CSAP on Okta
To set up SAML 2.0 for the CSAP application, follow the below steps to generate the SSO URL and Certificate:
Sign in to Okta as an admin.
From the main hamburger menu, click Applications.
Click Create App Integration.
Select SAML 2.0 and click Create.
In the General Settings tab, enter the App name as CSAP SSO and do not select any App visibility options. Click Next.
In SAML Settings, enter the Assertion Consumer URL you have retrieved from CSAP, in the Single sign on URL field.
For Audience URI (SP Entity ID), enter the Entity ID.
Select Name ID format as Persistent and Application username as Okta username. The value for the Name ID format must be set to Persistent so that your IdP sends the same unique value for the NameID element in all SAML requests from a particular user. If you set it to anything else, the user will have a different saml: sub value for each session and is not secure.
For Advanced Section, select Response as Unsigned, Assertion Signature as Signed, Assertion Encryption as UnEncrypted. These options ensure that the SAML authentication message is digitally signed by the IDP, and it restricts login to the SAML app only from browsers that have the signed certificate.
Select Next.
Select I'm a software vendor. I'd like to integrate my app with Okta and click Finish. You have now successfully created an application for the SAML integration. This application will have the details of the IdP URL and Certificate which you’ll need to add to the CSAP application to complete the SSO integration.
On Okta, you can find the Identity Provider SSO details at Applications > Sign On > View Setup Instructions.
Download the identity provider metadata in the form of an .XML file by clicking Identity Provider metadata. You should upload this XML into the CSAP application while configuring SAML 2.0.
Configure SAML 2.0 for Okta on CSAP
Configure SAML 2.0 for Okta on the CSAP application by completing the following steps:
Sign in to the CSAP application as admin.
In the Integration module, select Authentication Methods > Analyst Dashboard > SAML 2.0 > Edit.
Enter the values from Okta in the IDP (Identity Provider) section.
In the Metadat XML section of IdP section, select Upload to upload the metadata.xml from Okta.
In SSO URL, enter the Identity Provider Single Sign-on URL from Okta.
In Certificate, Click View Certificate and click Upload Certificate to upload the certificate that you get from Okta.
Toggle off Encrypt and AuthnRequest.
Click Save.
Toggle on Activate Authentication.
Sign in to CSAP using Okta
To sign in to CSAP after configuration, follow the below steps:
Sign in to Okta as an admin using your Okta credentials.
In the dashboard click CSAP Analyst Portal to sign in.
Note
If you forget your Okta password, click on Need help in signing in? and then on Forgot password?. Enter your email ID to get the procedure to reset your password.