1. Home
  2. Docs
  3. Dynamic Storage Platform
  4. SAML-based Single Sign On (SSO)
  5. Okta Setup

Okta Setup

In this guide you’ll learn how to setup SAML-based SSO Authentication where Okta works as your Identity Provider (IdP), and Vawlt is the Service Provider (SP).

The guide is split into two parts:

  1. Integrate Vawlt application into Okta
  2. Configure Okta IdP on Vawlt Platform
  3. Login into Vawlt using SSO

1 – Integrate Vawlt application into Okta

1 – In the side menu, open the Applications sub-menu, click on the Applications option, and press the Create App Integration button.

2 – The Create a new app integration modal will show up. Select the SAML 2.0 option and press the Next button.

3 – Give a name to the application. In our case, we used Vawlt Application.

4 – In the SAML Settings menu, you’ll have to input the information that is provided by Vawlt in Vawlt’s SSO configuration page.

In the Single sign on URL input, insert Vawlt’s Single Sign On URL.

In the Audience URI (SP Entity ID) input, insert Vawlt’s Entity ID.

Leave the Default RelayState input empty.

In the Name ID format select the EmailAddress option, this is the option that Vawlt expects, if you select a different one, SSO won’t succeed.

In the application username, select Email, to send the user email as the Name ID value. Vawlt expects a valid email in the SAML subject assertion.

Then, click on the Show Advanced Settings link to configure advanced settings.

5 – In the advanced options, you are able to configure several options. We recommend you to keep the default options for the cryptographic-related options, so that your IdP signs its requests and uses secure signature and digest functions.

You can also configure the Single Logout feature in this menu. Okta does not support IdP-initiated Single Logout, but it is able to receive SP-initated Single Logout Requests and issue logout requests to all the integrated applications that have SLO configured, invalidating user sessions across all the applications, including Okta’s session.

To enable Single Logout check the Allow application to initiate Single Logout checkbox. Once checked, insert Vawlt’s Single Logout URL in the Single Logout URL input, insert Vawlt’s entity id in the SP issuer input, and in the Signature Certificate input, upload Vawlt’s latest certificate. You can read more about how we manage our certificates here.

6 – Down in the Attribute Statements menu is where you configure the claims that are sent to Vawlt, so that Okta Users and Groups can be mapped into Vawlt Users with the wanted permissions. You can read more about the claims that are required by Vawlt here.

In the left column insert the claim names that Vawlt expects, and in the right column insert the values that you want to send.

Notice that in the role_id claim we typed appuser.role_id in the value column. By doing this we are configuring an indirect mapping that will be configured in a later step. For both the first and last name we configured a direct mapping to the user’s first and last name, respectively. You could also use the values appuser.first_name and appuser.last_name to create and indirect mapping for those attributes, where you could apply transformations on the user’s first and last name before sending those claims, as we’ll explain in a later step.

Once your settings look identical to the ones in the figure below, press the Next button to continue.

7 – In the last screen select the appropriate options for your case and press the Finish button.

8 – In the Applications page you should now see the integration you just created. To continue the configuration process, open the Directory tab in the side menu, and click on the Profile Editor option.

9 – In the Profile Editor section, click on the Vawlt Application User link.

10 – In this step, we’ll configure the profile of a Vawlt User and specify how an Okta User is mapped into a Vawlt User. Click on the Add Attribute button to add attributes to the profile.

11 – In our case we are going to add three attributes: the first name, last name and role id. Notice, however, that in step 6, we created a direct mapping for the first name and last name attributes, thus, whether you add these attributes here or not won’t make a difference. Nevertheless, we’ll add them and show you how you could transform the values in case you used indirect mapping for those fields.

Make sure that the variable names that you specify here match the identifiers you typed back in step 6 for the indirect mappings. For example, in our case, we used appuser.role_id, so the variable name for the Role Id must be role_id.

Check all the three attributes as required attributes by checking the Yes checkbox, since they are all required by Vawlt.

For the role_id attribute, leave the Scope checkbox unchecked, since it will not be defined by a user attribute. For the remaining attributes, check it.

12 – Now that the Vawlt User profile was created, you can configure the mappings for the indirect mapping attributes you specified in step 6. Click on the Mappings button.

13 – In this screen you can configure the mapping of the attributes that are send as claims to Vawlt. You can, for instance, apply transformations on the user’s names before sending them to Vawlt (learn more here).

If you want to, you can also map the role_id of a user based on some attribute(s) present in the Okta user profile. In our case, we are going to create groups and define the Vawlt Role of a user based on the group he’s part of. So we’ll leave the mapping for the role_id attribute blank and proceed.

Don’t forget that to use the values resulting from these mappings, you must use the nomenclature appuser.*variable_name* as claim values in the section shown in step 6.

Once you are finished configuring your mappings, press the Save Mappings button, apply the updates and close this window.

14 – As mentioned before, we are going to create groups and map the Vawlt Role of each user based on the group is part of. If you do not intend to perform the mapping like we did, you are free to skip the next steps and configure it in your own way. Otherwise, go to the Groups page, under the Directory sub-menu on the side bar menu, and click on the Add Group button to create a new group.

15 – Fill the group details and press the Save button. In this example we are creating a group for the users that should be assigned the “Member” role. You should create a group for the remaining roles if you intend to assign those roles to some of your users.

16 – Now that the group is created, go to the group page, go to the Applications tab, and press the Assign Aplication button.

17 – Select the Vawlt application that you created before and press the Assign button.

18 – Once you press the Assign button, we will be prompted to specify the Role ID that should be assigned to this group. The role that you select here is going to be mapped into the value of the role_id outgoing claim when a user that belongs to this group attempts to sign in at Vawlt.

In our case, since we created the Vawlt Members group, we specified the Role Id that should be assigned to this group’s users as Member.

Once you’re done in this modal, hit the Save and Go Back button. Going to the page of the group we just created, we can see the Vawlt Application under the Applications tab.

With this, the IdP should be now correctly configured and able to send SAML requests to Vawlt. You just need to assign Users to the Groups you created (in case you followed the same approach as we did), and the integrated Vawlt Application will then be shown in their Okta’s dashboards.

If you already configured your IdP on the Vawlt’s SSO Configuration page, your set up should already be working, and you and your users should be able to login into Vawlt using SSO. Otherwise, proceed to the next guide in order to configure your IdP on the Vawlt platform.

Configure Okta IdP on Vawlt Platform

1 – To configure Okta as an IdP on the Vawlt Platform, you need to provide some information to Vawlt. All the information needed can be found in the same webpage. In the sidebar menu, open the Applications sub-menu and click on the Applications option. Then, go to the Sign On tab, scroll down on the page, and click on the View SAML setup instructions buton, on the right side of the page.

2 – The IdP Entity ID and the Single Sign On and Logout URLs are provided right at the top of the page. Just copy those values and insert them in Vawlt’s SSO configuration page.

Observation regarding SLO: If you do not intend to use the Single Logout feature, do not insert the Single Logout URL in Vawlt’s SSO configuration page. Also, make sure that if you do not intend to use this feature, you did not check the Allow application to initiate Single Logout checkbox when integrating Vawlt application into Okta (see Step 5 of the first guide).

3 – If you scroll a bit more down, you can find the public certificate that should be used to verify Okta’s signatures when sending SAML messages to Vawlt. Copy the encoded certificate (without the —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– lines) and paste it into Vawlt’s X.509 Cert (Sign) input.

For the Vawlt’s X.509 Cert (Encrypt) input, you can leave the Use sign cert checkbox selected. At the time of writing, Okta does not encrypt SAML assertions, hence, this field is not relevant for the configuration.

4 – At the bottom of the page you can see Okta’s metadata file. In this file, you can see that Okta supports both POST and REDIRECT bindings for both SingleSignOn and SingleLogout Services, which means that you can select any of those when configuring the SSO and SLO URLs at Vawlt’s SSO configuration page.

Notice however that, if you select REDIRECT binding for SSO or SLO endpoint you must not select RSA-SHA512 or RSA-384 as the SP signing algorithm, since these are not supported when REDIRECT binding is used.

5 – Regarding the Maximum Authentication Lifetime field, Okta’s default session lifetime is two hours, so you might set 7200 seconds as the Maximum Authentication Lifetime. This does not mean that an Okta session always expires after 2 hours. If a user is continuously using Okta, his session will be prolonged in time. This can lead to a situation where the user is forced to re-authenticate even though his Okta session is still valid. You can read more about Maximum Authentication Lifetime here.

Login into Vawlt using SSO

To perform SP-initiated SSO, go to Vawlt’s SSO login page and insert your SSO Login ID (the SSO Login ID can be found in Vawlt’s SSO configuration page).

After pressing the Continue button, you will be redirected to your IdP sign in page. Insert your credentials and press the Next button. After successfully signing in, you will be redirected back to Vawlt, but this time you’ll be logged in into your account.

To perform IdP-initiated SSO, go to Okta’s website, login into your user account and, if the Vawlt Application that you configured was assign to your user, either directly or through a group assignment, the Vawlt application will apear in your User’s dashboard. Just click on the application and you will be logged in into Vawlt.

Was this article helpful to you? Yes No