This article describes the procedure for configuring single sign-on via OKTA using SAML integration with Resolution Intelligence Cloud.
Important: Refer to this article for details on how to reset MFA for a specific user if the user lost an MFA-enabled device.
Configuration
Configure Okta SAML integration
- Sign into the Okta Admin Console
- Use the Create App Integration wizard to add an application for use with Resolution Intelligence Cloud
- Select SAML 2.0
- Click Next
- Type a name for App
- Click Next
- In Sign on URL field, type https://auth.netenrich.com/login/callback
- In Audience URI (SP Entity ID) field, type urn:auth0:prod-netenrich:customernamesaml
NOTE: For “customername”, type your company name, this can be any name to uniquely identify the connection. Later this name will be used to configure the SAML connection in Resolution Intelligence Cloud - In name ID format select EmailAddress.
- In Application username select Email
- Leave other fields to default.
- Click Next
- Select the options as shown in the above image and click Finish
- Click on the App that you have just created in Okta.
- Click Sign On
- Expand More details
Note: These details will be used later when configuring Resolution Intelligence Cloud SAML Integration
- Sign on URL
- Sign out URL
- Issuer
- Download Signing Certificate
Assign User to Okta SAML App
Click Assignments and click Assign and add people or group that you would like to allow to login to using the newly created App.
Configuring SAML connection in Resolution Intelligence Cloud
To configure SAML connection,
- From Resolution Intelligence Cloud home screen, click Configurations --> Authentication in the left menu
- Click Setup Provider under the SAML tile
A New SAML Connection form appears - Enter the following fields and click Create at the bottom of screen
Field | Description |
Connection name |
Logical identifier for your connection; it must be unique. Once set, this name can't be changed. For connection name type the name in below format. Customernamesaml This name should be same as the one configured in “Audience URI (SP Entity ID) field” during Okta SAML connection. NOTE: For “customername”, type your company name |
Sign in URL | Sign on URL that you have noted down from Okta SAML app that you have created earlier. |
X509 Signing Certificate | Select the Signing certificate that you have downloaded from Okta SAML app that you have created earlier. Before uploading, rename the okta.cert to okta.cer |
Sign out URL | Signout URL that you have noted down from Okta SAML app that you have created earlier. |
User ID Attribute | Copy below URL for User ID Attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier |
Sign Request Algorithm | Optional |
Sign Request Digest Algorithm | Optional |
Protocol Binding | Optional |
Identity Provider Domains | Enter a list of trusted domains with which you want to be identified as identity providers. These are the domains that user accounts have. Example: The user login is user@contoso.com, enter contoso.com. If there are multiple domains, then enter all the domains as a comma-separated list. |
Multifactor Authentication | Multi-Factor Authentication (MFA) can be enabled or disabled at any point during or after setting up the Single Sign-On (SSO) connection. It is important to note that MFA functionality is exclusive to the SSO connection and applies solely to users logging in via the domain specified under "identity provider domains." By default, MFA is disabled. To activate it, tick mark the checkbox labelled "Enable MFA while user login." |
4. You have established SAML connection successfully
Invite User with SSO Integration
- For users to be able to login using SSO, they must be re-invited using the SSO connection.
- An existing owner or global admin user with local authentication logged in, add a new user with the owner role by enabling the newly created SSO integration in Resolution Intelligence Cloud.
3. A newly invited user will be redirected to Okta for authentication.
4. For existing users with local authentication, users must be deleted and re-invited using an SSO connection."
Comments
0 comments
Please sign in to leave a comment.