Integrating Okta

This documentation is a detailed guide for setting up single sign-on (SSO) through Okta, leveraging SAML 2.0 or OIDC.

The following procedures require copying and pasting information between Okta and the Delinea Platform. We recommend opening both applications before you begin, and keeping both open until you are finished.

You do not need to configure both OIDC and SAML applications for your integration. Depending on your organization's infrastructure and preferences, you can choose either OIDC or SAML.

Prerequisites

On the Delinea Platform, you need to be an Admin with federation privileges.

Build an Okta SAML Application

  1. From the Okta left navigation menu, click Applications.

  2. On the Applications page, click Create App Integration.

    Alt

  3. On the Create a new app integration page, select SAML 2.0.

    Alt

  4. Click Next.

  5. On the Create SAML Integration page under General Settings, enter a name into the App name field, such as Okta SAML.

    Alt

  6. Click Next.

  7. In the SAML Settings section next to Single sign-on URL, paste the following:
    https://[HOST-NAME].delinea.app/identity-federation/saml/assertion-consumer

  8. Replace [HOST-NAME] with the host name you selected when you created your tenant.

    Alt

  9. Next to Audience URI (SP Entity ID), enter something intuitive, such as Delinea_Federation.

  10. Scroll down to the Attribute Statements section.

  11. Add three more blank attribute statements for a total of four.

  12. Enter the following into the Name and Value fields of the four attribute statements:

    Name Value
    EmailAddress user.email
    Name user.displayName
    nameidentifier user.id
    upn user.login

  13. Click Next.

  14. On the Create SAML Integration page select, I'm an Okta customer adding an internal app with Okta

  15. Click Finish

  16. On your Okta new SAML application page, click the Assignments tab.

    Alt

  17. Click the Assign drop-down and select Assign to People or Assign to Groups.

  18. In the next dialog box, click Assign next to the user(s) or group(s) you wish to assign to the federation.

    Alt

  19. Click Save and Go Back.

    Alt

  20. Click Done.

  21. On your Okta new SAML application page, click the Sign-on tab.

    Alt

  22. Scroll down to SAML Signing Certificates.

  23. Click the Actions drop-down next to the Active certificate and select Download certificate.

    Alt

  24. Click the Actions drop-down next to the Active certificate and select View IdP metadata.

  25. On the IdP metadata screen, right-click and choose Save page as... and select a name to save it as an xml file.

    IdP Metadata is an XML-formatted document that contains configuration information necessary for Delinea Federation to authenticate against the identity provider and includes the required endpoint URLs, bindings, and certificates.

    Alt

  26. Navigate to View SAML setup instructions on the Sign On tab and download the X.509 certificate (okta.cert) as shown below.

  27. Change the file extension to .pem. This will be your IDP certificate to download from the platform interface.

Add the Provider to the Platform

  1. Click Settings from the left navigation, then click Federation Providers.

  2. Click Add Provider.

  3. Select SAML from the drop-down menu. The Add Provider page opens.

Settings

In the Settings section, the first fields are automatically populated when you select the SAML provider configuration file and click Apply.

  1. SAML provider configuration: Click Select file.

  2. Navigate to and select the federation metadata XML file you downloaded.
    The word, Apply appears above the right end of the SAML provider configuration field.

  3. Click Apply. The words Uploaded successfully will appear next to SAML provider configuration, and the empty fields below will be auto-populated:

    • Name: Auto-generated from metadata

    • Protocol: SAML (auto-filled)

    • Status: Disabled

    • Entity ID [example: https://sts.windows.net/808444af-4011-40d5-9b0a-a9a5c95f88e9/]

    • IDP Certificate: Click Select File, then navigate to and select the Signing Certificate file you downloaded, to populate the following fields:

      • Signature

      • Algorithm

      • Thumbprint

      • Not valid before

      • Not valid after

      • Issuer

  1. IDP Login URL: Paste in the Login URL from your Okta application by selecting the Sign on tab and copying the Sign On URL.

  2. IDP Logout URL: Paste in the Logout URL from your Okta application.

  3. Platform Callback URL: https://[HOST-NAME].delinea.app/identity-federation/saml/assertion-consumer
    Copy the Platform Callback URL to paste into the Sign-in redirect URIs field in your new Okta application.

  4. Prompt: See Prompt for Re-authentication (OIDC only) under Federation Management.

  5. Platform Logout URL: https://[HOST-NAME].delinea.app/identity-federation/saml/logout-consumer

  6. Status: Select the box next to Enabled.

Advanced Settings

See Advanced Settings (SAML only) under Federation Management.

Attribute Mappings

See Attribute Mappings under Federation Management.

Group Mappings

  1. Click the General tab.

  2. Edit the SAML integration and click Next to configure the SAML settings.

  3. Scroll down to Group Attribute Statements

    Alt

  4. Set the following:

    1. Name: groups
    2. Name format: Unspecified
    3. Filter: Matches regex: .*

    This procedure affects all groups assigned to this application. If you want to apply it to a specific group or groups, change the filter as appropriate. More information is available from the Okta website.

  5. Click Next and Save. ​

Also see Mapping Federated Groups under Federation Management.

User Mappings

See Mapping Federated Users under Federation Management.

Domains

  1. Click Add Domain and enter the domain from the email addresses of the users you are including in this federation.

When all required fields are populated, click Add Provider.

Build an Okta OIDC Application

The following procedure requires copying and pasting information between Okta and the Delinea Platform. We recommend opening both applications before you begin, and keeping both open until you are finished.

  1. From Okta, click Applications from the left navigation menu.

  2. Click Create App Integration.

    Alt

  3. In the Create new app integration dialog, next to Sign-in method, select OIDC - OpenID Connect.

  4. Next to Application Type, select Web Application.

  5. Click Next.

    Alt

  6. In the next dialog, next to App integration name, enter a name, such as Okta OIDC.

  7. In the Assignments section, select one of the three choices.

  8. Click Save.

Add the Provider to the Platform

  1. Click Settings from the left navigation, then click Federation Providers.

  2. Click Add Provider.

  3. Select OIDC from the drop-down menu. The Add Provider page opens.

Settings

  1. Name: Enter a unique name.
  2. Status: Select the box next to Enabled.

  3. Endpoint URL: Paste in the Okta domain name copied from your Okta application page. You might need to add https:// to the beginning.
  4. Client ID: Paste in the Client ID copied from your Okta new OIDC application page.
  5. Client Secret: Paste in the Client Secret copied from your Okta new OIDC application page.
  6. Platform Callback URL: Copy the Callback URL. In your Okta new OIDC application, click Add URI and paste the copied callback URL into the Sign-in redirect URIs field.

 

Attribute Mappings

In the upn field, change the text to preferred_username.

Also see Attribute Mappings under Federation Management.

Group Mappings

From Your Okta Application

  1. Log into the Okta Management site.

  2. In the Admin Console, go to Applications > Applications.

  3. Enter the name of the app integration in the Search field.

  4. Click the Assignments tab.

  5. Click Assign and select Assign to Groups.

  6. Locate the group you want to assign the app integration to and click Assign.

  7. Confirm the data is correct in the Assign <application name> to Groups dialog.

  8. Click Save and go back. The Assigned button for the group is disabled to indicate the app integration is assigned to the group.

  9. (Optional) Repeat to assign the app integration to additional groups.

  10. Click Done.

From the Platform

  1.  Click Add Group Mapping.
    • Attribute: Enter groups (most other IdPs also use groups).
    • Source Name: Add the name of the appropriate group from Okta.
    • Group: Select a group from the pull-down menu (you can use the group attribute to map more than one group).

Also see Mapping Federated Groups under Federation Management.

User Mappings

See Mapping Federated Users under Federation Management.

Domains

  1. Click Add Domain and enter the domain from the email addresses of the users you are including in this federation.

  2. Optionally enable the Status of the provider.

  3. When all required fields are populated, click Add Provider.