Configure Okta

A popular SAML provider, also known as an Identity Provider or IdP, is Okta. Before creating the SAML authentication within Administration, known as a Service Provider or SP in SAML terminology, it is recommended to define the application in Okta for single sign-on functionality.

To configure Okta to communicate with SIP, complete the following steps.

  1. After logging into Okta, navigate to the Dashboard.
  2. Under Shortcuts, click the Add Applications link.
  3. On the Add Application page, click the Create New App button.
  4. On the Create SAML Integration page, in the General Settings section:
    1. In the App name field, enter a unique name for the application.
    2. Click Next.
  5. In the Configure SAML section, these are the recommended settings:

    General
  • Single sign on URL: this is also known as the Assertion Consumer Service URL and is the location that the user's browser is redirected to after authenticating with Okta. The format should be https://<hostname or IP>/securitymanager/api/saml/SSO. Enter the host name or IP address at which you are able to access SIP.
  • Audience URI (SP Entity ID): the value for this field should correspond to the value entered in the Service Provider Entity ID field within the SIP SAML authentication server configuration page (SAML Metadata Generator). It is recommended that the value of this field be in the format of https://<hostname or IP>/sp. Please note that within SIP, each SAML authentication server must have a unique value for this field, if multiple SAML authentication servers are defined. Therefore, subsequent servers may have values similar to https://<hostname or IP/sp_2.
  • Default RelayState: leave this field empty

  • Name ID Format: set to Unspecified
  • Application username: the value entered for this field determines what the user name will be within SIP. It is recommended to set this to Okta username.
  • Response: set to Signed. This value may be set to Unsigned, but it is considered more secure to set it to Signed.
  • Assertion Signature: set to Signed. It is not strictly necessary to set this value to Signed if the Response field is set to Signed, but it doesn't hurt anything to set it to Signed.

  • Signature Algorithm: RSA-SHA256

  • Digest Algorithm: SHA256
  • Assertion Encryption: set to Unencrypted

  • Enable Single Logout: do not select this check box

  • Authentication context class: set to PasswordProtectedTransport
  • Honor Force Authentication: set to Yes
  • SAML Issuer ID: leave this field empty

    Attribute Statements (optional) and Group Attribute Statements (optional) sections determine how user fields are sent to SIP. The values entered for the Name fields should match the values entered in the User Schema section of the SAML Settings in Administration.

  1. Click Save, and then click Next. You will now import the metadata from Okta to SIP. The metadata document is on the Sign On page of the application you just configured.

  1. On the Sign On page, click View Setup Instructions.
  2. Copy the XML data from the Provide the following IDP metadata to your SP provider section. This will be used in step 6 of Create SAML Authentication.
  3. Proceed to the Administration module to complete the setup process.