Configure Okta using SAML 2.0

<< Click to Display Table of Contents >>

Navigation:  Automation Service Management > Accessing Portals and Applications > How to manage Identity Providers > SAML 2.0 examples >

Configure Okta using SAML 2.0

Overview

To integrate your cloud portals with your corporate Okta you need to carry out the configuration steps as described in this section.

Note that these are done only once, typically by an admin user of your Customer Portal having access to your Okta.

 

Once you have carried out these steps users sign in to any cloud-based service directly via your Okta, as described at Signing in the Bizagi Cloud Portals and Applications.

 

To configure your Identity Provider you must follow these steps:

 

1. Generate certificates to sign assertions (mandatory)

This step is not bound to Bizagi nor restricted by any special requirement of Bizagi (you normally do it yourself).

If you need some guidance or an example on this step, refer to Certificates for SAML 2.0 authentication.

 

To proceed with these guided steps, you need to have:

One certificate to sign assertions (mandatory) in .P12 or .PFX  file format. You need The password for the certificate file, as defined by you when you exported the public and private keys.

One certificate to encrypt messages (optional) in .P12 or .PFX  file format. You need The password for the certificate file, as defined by you when you exported the public and private keys. You will also need the key in CER or CRT format to be uploaded in Okta.

 

note_pin

You will need to be in charge of managing your installed certificates (keep track of its expiration date and other relevant maintenance aspects such as changes in your Identity Provider's endpoints).

 

 

2. Register an authorized application in Okta

Open the Okta portal as an administrator, select the Applications section and create a new App Integration.

 

CP_Okta_10

 

Select SAML 2.0:

 

CP_Okta_11

 

Give a name to the application:

 

CP_Okta_12

 

Configure the following parameters:

 

Endpoints

Single sign on URL: This is the destination in the SAML response https://accounts-<companyname>.bizagi.com/saml2/assertionConsumer

Use this for Recipient URL and Destination URL: activate this option.

Audience URI (SP Entity ID):  It is the Bizagi 's URL used for authentication, with the following format https://accounts-<companyname>.bizagi.com

Default RealyState: Leavi it Empty.

Name ID format: EmailAddress

Application username: Email

 

CP_Okta_13

 

Now open the advanced settings and configure the following parameters:

 

Response: Select Signed.

Assertion Signature: Select Signed.

Signature Algorithm: We recommend using RSA-SHA256. The same value must be configured in the Bizagi Customer Portal.

Digest Algorithm: We recommend using RSA-SHA256.

Assertion Encryption: Optional, if you select Encrypted you need a certificate.

Encryption Algorithm: Select AES256-CBC if you activate Assertion Encryption.

Key Transport Algorithm: Select RSA-1.5 if you activate Assertion Encryption.

Encryption Certificate: upload your encryption certificate in cer o crt format, if you activate Assertion Encryption

Enable Single Logout: Select Allow application to initiate Single Logout.

Single Logout URL: It is the Bizagi's cloud logut URL https://accounts-<companyname>.bizagi.com/saml2/logout

SP Issuer: It is the Bizagi 's URL used for authentication, with the following format https://accounts-<companyname>.bizagi.com

Signature Certificate: Upload a certificate in cer o crt format. The same certificate must be uploaded in the Bizagi Customer Portal.

Authentication context class: Select PasswordProtectedTransport.

Honor force authentication: Select Yes.

SAML Issuer ID: Leave the default value.

 

CP_Okta_14

 

 

Click Next, and then Finish.

 

Open the Assignments tab and select users or groups of users that are going to be authenticated using this application.

 

CP_Okta_15

 

Finally, get the metadata URL. Open the Sign On tab and click Identity Provider Metadata.

 

CP_Okta_16

 

Copy the URL in the browser tab opened. It has the following format:

 

https://[company].okta.com/app/[id]/sso/saml/metadata

 

3. Configure your IdP in the Customer Portal

After you configure the application in Okta, now you must access the Bizagi Customer Portal and register the Identity Provider. Follow the steps in Configure a SAML 2.0 IdP in the Customer Portal.

 

To test your configuration we recommend that all users log out and opening a new tab using incognito mode, or use a different browser. If the configuration with a new IdP fails, you can Restore the authentication protocol.

 

Troubleshooting

In case the authenticator fails, you can review:

Troubleshooting SAML message exchanges

SAML Error codes