Set up SAML SSO integration in Orchestrate using Okta
On Orchestrate, you can enable Single Sign-On (SSO) using an Identity Provider (IdP) that supports Security Assertion Markup Language (SAML), such as Okta.
Before you Start:
You must have administrative privileges to create an external application in Okta.
Your user group in Orchestrate must have View and Update Configuration permission to access the Configuration module in Orchestrate.
Steps
To access the Orchestrate platform using SSO, perform the following steps
Fetch Assertion URL and Entity ID from Orchestrate
The Assertion Consumer URL is an endpoint on Orchestrate, where the identity provider (Okta) will redirect to with its authentication response. An entity ID is a globally unique name for the service provider or the identity provider.
Fetch the Assertion Consumer URL and entity ID from the Orchestrate platform and have them handy. You need these values while setting up the SAML 2.0 app in Okta.
Steps
To fetch the assertion consumer URL and entity ID from Orchestrate, do the following:
Sign in to the Orchestrate platform.
Navigate to Admin Panel > Authentication > SAML 2.0.
Copy the following values to use while configuring the SAML app on Okta.
Assertion Consumer URL
Entity ID
Configure SAML 2.0 App for Orchestrate on Okta
On Okta, you must set up a SAML 2.0 application for the Orchestrate platform and generate a single sign-on URL and certificate.
Steps
To configure the SAML application for Orchestrate, do the following:
Sign in to the Okta developer account as a user with administrative privileges.
Go to Applications > Applications.
Click Create App Integration .
Select SAML 2.0 and click Next.
On General Settings, enter the following values and click Next.
App Name - Orchestrate
App Logo (optional) - Upload the Orchestrate logo
App Visibility - Choose to display the application icon to users
To Configure SAML, enter the Assertion Consumer URL that you copied from the Orchestrate into the Single Sign-On URL.
In the Audience URL, enter the Entity ID copied from the Orchestrate. You do not need to configure the Default RelayState (optional) field.
Select Name ID format as Persistent and Application username as Okta username. The value for the Name ID format must be set to persistent so that your IdP sends the same unique value for the NameID element in all SAML requests from a particular user. If you set it to anything else, the user will have a different SAML: sub value for each session which is not secure.
Click Show Advanced Settings, select Response as Unsigned, Assertion Signature as Signed, Assertion Encryption as UnEncrypted, Signature Algorithm as RSA-SHA256, and Digest Algorithm as SHA256. These options ensure that the SAML authentication message is digitally signed by the IDP, and it restricts login to the SAML app only from browsers that have the signed certificate.
Note
SAML integrations must use SHA256 encryption for security. If you are using SHA-1 for encryption, see Upgrade SAML Apps to SHA256.
In the Attribute Statements (Optional) section, enter the following values.
Name - Enter email
Name format - Choose Unspecified
Values - Choose user.email
Select Next.
Select I'm a software vendor. I'd like to integrate my app with Okta and click Finish. You have now successfully created an application for SAML integration. This application will have the details of the IdP URL and Certificate which you will need to add to the Orchestrate application to complete the SSO integration. This application will have the details of the IdP URL and Certificate which you will need to add to the Orchestrate application to complete the SSO integration.
On Okta, you can find the Identity Provider SSO details at Applications > Sign On > View Setup Instructions.
Save the identity provider metadata in the form of a .xml file. You should upload this XML file to the Orchestrate application while configuring SAML.
Have the following values from Okta handy to enter into the Orchestrate application while configuring SAML.
Identity Provider Single Sign-On URL
X.509 certificate
Assign Users in Okta
You must assign one or more users from your organization in Okta. For more information on assigning users in Okta, see Assign Users.
You must also assign users to the configured Orchestrate app in Okta. To assign users in the Orchestrate app, go to Applications > Applications, select the Orchestrate app, and assign users.
Create Users in Orchestrate
The users you added in Okta must be added to Orchestrate. See Create Users to add users in Orchestrate.
Configure Okta SSO in Orchestrate
You must configure a single sign-on for Okta in Orchestrate to allow users to seamlessly and securely sign in to Orchestrate from Okta.
Steps
To configure Okta SSO in Orchestrate, do the following:
Sign in to the Orchestrate application and navigate to Admin Panel > Authentication.
Select SAML 2.0 and click Edit .
Go to IDP (Identity Provider) section and select metadata.xml to upload the metadata.xml from Okta of size less than 40 MB.
In the SSO URL field, enter the Identity Provider Single Sign-on URL from Okta.
In IDP Certificate add the Okta X.509 certificate.
Set these options to false (do not enable).
Encrypt
AuthnRequest
Click Activate Authentication.
Click Save.
Verify Single Sign-on from Okta
You must sign in to Orchestrate from Okta as a user and verify the configuration.
To verify single sign-on from Okta, do the following:
Sign in to Okta.
On the Okta dashboard, click the Orchestrate tile and confirm that the user is signed in to the Orchestrate platform.