Using Okta for SSO with PPA
Configuring Okta
Create a new App Integration with sign on method SAML 2.0.
Configure the App Integration using the default settings unless indicated below:
-
Single sign on URL -
https://<ppa-address>/backend/v1/sso/saml
-
Audience URI (SP Entity ID) - a sensible ID for your PPA instance. e.g.
ppa-dev
Tip
The application username and attribute statements are used to match SSO logins to Active Directory users, so these values must be consistent with the on-premise Active Directory instance used by PPA.
Application username format
Choose Custom type and use a custom expression like "myDomain" + user.sAMAccountName
.
Dependent on how your Active Directory fields are mapped in your Okta instance you might need to use a different custom expression.
The expression needs to resolve to <short_domain_name>\<user_sAMAccountName>
Attribute Statements
The following attribute statements are required:
- object_sid - Active Directory objectSid
- name and email
Group Attribute statements
- groups - Active Directory groups sAMAccountName
The groups filter value will decide which groups are included in the assertion.
You can use Matches regex: .*
to include all groups, or use a more specific expression to narrow down the scope.
[Optional]
Assertion Encryption
-
Select Show Advanced Settings and change Assertion Encryption to Encrypted.
-
Upload a certificate file to Encryption Certificate.
You will need to provide the equivalent private key file to the PPA appliance.
Identity Provider Metadata
You will need to download the IDP metadata file to your desktop so you can upload it to PPA.
-
Click View SAML Setup Instructions
-
Copy the XML in the Optional section and save it to a file on your desktop.
Configuring SSO in PPA
Navigate to the PPA Configuration page, and click 'Configure' on the SAML card. Fill out the following:
- Service Provider Entity ID - use the Audience URI (SP Entity ID) value that you set in Okta
- Identity Provider Metadata File - upload the XML file that you generated from Okta previously
[Optional]
You can provide a Signing Key and Signing Certificate. If none provided, PPA will auto-generate them for you.
Add the correct Encryption Key and Encryption Certificate if you are using Assertion Encryption.
Enabling SAML
Check enabled, and you are ready to start testing.
Testing single sign-on
- Navigate to the Users page and set your AD domain user to use SAML authentication.
- Logout then attempt to login with your AD domain user and you should be automatically redirected to authenticate with your IDP.
- Following authentication with your IDP, you should be redirected back to PPA.
If you need any further help, please contact support@osirium.com.