Set Up SAML SSO Integration using Okta
On Cyware Products, you can enable single sign-on (SSO) using an Identity Provider (IdP) that supports Security Assertion Markup Language (SAML), such as Okta.
To authenticate users using SAML SSO, follow these steps.
Create Custom Attributes in Okta
You can create custom attributes to use in the SAML assertion.
Steps
To create custom attributes, follow these steps:
Sign in to Okta as an Administrator.
Click the Okta User Profile to view the list of all the Base and Custom attributes.
Click Add Attribute to add a new custom attribute. The Firstname, Lastname, and Email attributes are available as base attributes. Use the following details to add custom attributes.
Data Type: Select data type as string.
Display Name: Provide a display name for the custom attributes. For example, User Group Mapping.
Variable Name: Provide a variable name for the custom attribute. For example, if you are creating a custom attribute to create a mapping between SAML groups, the variable name can be memberOf.
Click Save.
Fetch Assertion URL and Entity ID from Cyware Product
Fetch the Assertion Consumer URL and entity ID from the Cyware product and have them handy.
Steps
Login to the Cyware application.
Navigate to Administration > Configuration > Authentication > SAML 2.0. If you are a Collaborate (CSAP) user, navigate to Management > Integrations > Authentication Methods > SAML 2.0.
Copy these values. You need these values while setting up the SAML 2.0 app in Okta.
Assertion Consumer URL
Entity ID
Configure SAML 2.0 App for Cyware Product on Okta
On Okta, you have to set up a SAML 2.0 application for the Cyware products and generate a Single sign-on URL and certificate.
Steps
Sign in to Okta as an Administrator.
From the main hamburger menu, click Applications.
Click Create App Integration.
Select SAML 2.0 and click Next.
On General Settings, use these values and click Next.
App Name - Cyware SSO app
App Logo - Use Product logo
App Visibility - Do not check these options
To Configure SAML, Enter the Assertion consumer URL you copied from the Cyware product into the Sign On URL.
For Audience URL - Use the Entity ID displayed on the SAML 2.0 page that you copied.
Select Name ID format as Persistent and Application username as Okta username. The value for the Name ID format must be set to persistent so that your IdP sends the same unique value for the NameID element in all SAML requests from a particular user. If you set it to anything else, the user will have a different saml: sub value for each session, and is not secure.
For Advanced Section, select Response as Unsigned, Assertion Signature as Signed, Assertion Encryption as UnEncrypted. These options ensure that the SAML authentication message is digitally signed by the IDP, and it restricts login to the SAML app only from browsers that have the signed certificate.
In the Attribute Statements (Optional) section, enter the Name, Name Format, and Values for the following attributes
Email Address
Name - email
Name Format - Unspecified
Value - user.email
First Name
Name - first_name
Name Format - Unspecified
Value - user.firstName
Last Name
Name - last_name
Name Format - Unspecified
Value - user.lastName
User Group Mapping
Name - memberOf
Name Format - Unspecified
Value - user.memberOf
Select Next.
Select I'm a software vendor. I'd like to integrate my app with Okta and click Finish. You have now successfully created an application for the SAML integration. This application will have the details of the IdP URL and Certificate which you’ll need to add to the Cyware product to complete the SSO integration. This application will have the details of the IdP URL and Certificate which you’ll need to add to the Cyware product to complete the SSO integration.
On Okta, you can find the Identity Provider SSO details at Applications > Sign On > View Setup Instructions.
Download the identity provider metadata in the form of an .XML file. You should upload this XML into the Cyware product while configuring SAML.
Have the following values from Okta handy to enter into the Cyware product while configuring SAML.
Identity Provider Single Sign On URL
X.509 certificate
Configure SAML for Okta on Cyware Product
Configure SAML for Okta on the Cyware product by completing the following steps.
Steps
Sign in to the Cyware product.
Navigate to Administration > Configuration > Authentication > SAML 2.0. If you are a Collaborate (CSAP) user, navigate to Management > Integrations > Authentication Methods > SAML 2.0.
Select SAML 2.0 and click Edit.
Enter the values from Okta in the IDP (Identity Provider) section.
Select metadata.xml to upload the metadata.xml from Okta.
Click Certificate to enter the SSO URL. It is the Identity Provider Single Sign-on URL that you get from Okta.
In IDP Certificate add the Okta .509 certificate.
Set these options to false (do not enable).
Encrypt
AuthnRequest
Click Save.
Click Activate SAML.
Assign Values to your Custom Attributes
After configuring the Okta app, you can map custom attribute values to users.
Steps
To map Okta users with custom attribute values, follow these steps.
Sign in to Okta as an Administrator.
From the main hamburger menu, click Directory and select People.
Select the required user and click Profile.
Click Edit to provide values to the available attributes. You can add multiple values as comma-separated list without space after the comma. You can use the values provided for the custom attributes to associate with Cyware application user groups.
For example, if you assign usergroup1 to the memberOf attribute, you can use the same value in the SAML Group Mapping field while creating user groups in the Cyware application.
Click Save.