Set up SAML SSO for CFTR using Okta
Single Sign-On (SSO) provides a seamless sign-in by enabling users to access external applications and services without re-entering the credentials. CFTR seamlessly integrates with Okta to use SSO through the Security Assertion Markup Language (SAML) protocol.
SAML is an XML-based protocol used for exchanging authentication and authorization data between applications. Within the CFTR-Okta SAML integration, CFTR acts as the Source Provider (SP) and Okta acts as the Identity Provider (IdP). When users sign in to CFTR using the SAML authentication method, the IdP (Okta) sends a SAML assertion to the browser that is passed to the SP (CFTR). This enables Okta to establish a secure connection with the browser and then authenticate the users to sign in to the CFTR application.
Before you Start:
You must have an Okta developer account.
You must have Create/Update permission for Configurations in CFTR.
Steps
To set up SAML SSO in CFTR using Okta, perform the following steps:
Get Source Provider Details
To configure CFTR as a SAML 2.0 app in Okta, you must provide the source provider details of the CFTR application, such as Assertion Consumer URL and Entity ID. For more information, see Configure CFTR as SAML 2.0 App in Okta.
To retrieve the source provider details, do the following:
Sign in to the CFTR application.
Go to Admin Panel > Configurations > Authentication > SAML 2.0.
Copy and save the following source provider details to use while creating the SAML SSO integration on Okta.
Assertion Consumer URL: It is the API endpoint of the application, where the Okta redirects the user after successful authentication.
Entity ID: It is a globally unique name for the service provider.
Configure CFTR as SAML 2.0 App in Okta
In Okta, configure CFTR as a SAML 2.0 application and generate the single sign-on URL and certificate. The single sign-on URL and certificate are required to configure SAML 2.0 authentication in CFTR.
To configure CFTR as a SAML 2.0 app in Okta, do the following:
Note
This procedure mentions the fields and values that are required to configure CFTR as a SAML 2.0 app. For the fields that are not mentioned, leave them as it is.
Sign in to the Okta developer account.
Go to Applications > Applications.
To create an app integration, click Create App Integration.
Select SAML 2.0 and click Next.
Enter the following details in General Settings and click Next.
App Name: Enter CFTR.
(optional) App Logo: Upload the CFTR logo in PNG, JPG, or GIF format. The logo size must be less than 1 MB.
(optional) App Visibility: Select this option to hide the CFTR icon from users in the Okta dashboard.
Enter the following details in SAML Settings:
Single sign-on URL: Enter the Assertion Consumer URL that you copied from CFTR.
Audience URI (SP Entity ID): Enter the Entity ID copied from CFTR.
Name ID format: Select Persistent to enable Okta to send the same unique value for the NameID element in all SAML requests of a user. If you select another option, then the user will have a different SAML sub-value for each session which is not secure.
Application username: Select Okta username.
Update application username on: Select the Create/Update option.
Click Show Advanced Settings and enter the following details:
Response: Determines whether the SAML authentication response message is digitally signed by Okta. Select Unsigned.
Assertion Signature: Determines whether the SAML assertion is digitally signed by Okta. Select Signed.
Signature Algorithm: Determines the signing algorithm used to digitally sign the SAML assertion and response. Select RSA-SHA256.
Digest Algorithm: Determines the digest algorithm used to digitally sign the SAML assertion and response. Select SHA256.
Note
SAML integrations must use SHA256 encryption for enhanced security. If you are using SHA-1 for encryption, upgrade the SAML apps to SHA256. For more information, see Upgrade SAML Apps to SHA256.
Assertion Encryption: Determines whether the SAML assertion is encrypted. Select UnEncrypted.
Enter the following details in Attribute Statements (optional):
Name: This is the reference name of the attribute needed by CFTR. Enter email.
Name format: This is the format in which Okta sends the Name attribute to CFTR. Select Unspecified to use the format defined by the Okta profile.
Values: This is the value for the attribute defined in the Name attribute. Select user.email to authenticate users using their email IDs.
Click Next.
Select I'm a software vendor. I'd like to integrate my app with Okta and click Finish
You have successfully configured CFTR as a SAML application in Okta.
Get Identity Provider SSO Details from Okta
Retrieve the Okta identity provider SSO details to configure Okta as a SAML 2.0 authentication method in CFTR. To retrieve the details, do the following:
Sign in to the Okta developer account.
Go to Applications > Applications and select CFTR.
Select the Sign On tab and click View SAML setup instructions on the right.
Save the following details:
Identity Provider Single Sign-On URL: The SAML SSO URL of Okta.
X.509 Certificate: The public key certificate of Okta.
(Optional) IDP metadata: The XML metadata of Okta that includes the SSO URL and certificate details. Save the metadata as a
.xml
file.
Configure Okta SSO in CFTR
Provide the Identity Provider SSO details to configure Okta SSO in CFTR and allow users to seamlessly and securely sign in to CFTR from the Okta application.
To configure Okta SSO in CFTR, do the following:
Sign in to CFTR and go to Admin Panel > Authentication.
Select SAML 2.0 and click Edit.
Go to IDP (Identity Provider) and enter the following details of Okta:
Metadata XML: Click Upload to upload the IDP metadata.
SSO URL: Enter the Identity Provider Single Sign-On URL.
IDP Certificate: Click Add Certificate and upload the X.509 certificate.
Disable the following toggles:
Encrypt
AuthnRequest
Click Activate Authentication on the top-right.
Click Save.
Add User in Okta
Add at least one CFTR user in Okta to validate the SAML SSO configuration.
Note
Ensure that the user is already added in CFTR. For more information, see Create User.
To add a user in Okta, do the following:
Sign in to the Okta developer account.
Go to Directory > People.
Click Add Person and enter the following details:
User Type: Select User.
First Name: Enter the first name of the user.
Last Name: Enter the last name of the user.
Username: Enter the same email ID that you used to add the user in CFTR. The user will be authenticated using this email ID.
Primary email: Enter the email ID where email communication from Okta will be sent.
(Optional) Groups: Select a group to add the user.
Activation: Select Activate Now. The user will receive a password reset email.
I will set password: Select this option to set a password for the user. If you select this option, the user will not receive a password reset email.
Click Save.
Assign User in Okta
Assign the user you have added in Add User in Oktato enable the user to sign in to CFTR from Okta. To assign the user, do the following:
Sign in to the Okta developer account.
Go to Applications > Applications and select CFTR.
Select the Assignment tab and click Assign > Assign to People.
Select the user you want to assign and click Assign.
Click Done.
Validate the SAML SSO Integration
Use the user account you have assigned in Assign User in Oktato sign in to CFTR from Okta and validate the SAML SSO integration. To validate the SAML SSO integration, do the following:
Sign in to Okta as a user.
On the Okta dashboard, click CFTR.
You should be able to sign in to the application without entering the sign-in credentials.