HMSyncTOC("index.html", "configure_okta_saml.htm");

Configure Okta using SAML 2.0

<< Click to Display Table of Contents >>

Configure Okta using SAML 2.0

 

Configure Okta using SAML 2.0

  •     Overview
  •     1. Generate certificates to sign assertions (mandatory)
  •     2. Register an authorized application in Okta
  •         Endpoints
  •     3. Configure your IdP in the Customer Portal
  •     Troubleshooting

    • Overview

    To integrate your cloud portals with your corporate Okta you need to carry out the configuration steps as described in this section.

    Note that these are done only once, typically by an admin user of your Customer Portal having access to your Okta.

     

    Once you have carried out these steps users sign in to any cloud-based service directly via your Okta, as described at Signing in the Bizagi Cloud Portals and Applications.

     

    To configure your Identity Provider you must follow these steps:

     

    1. Generate certificates to sign assertions (mandatory)

    This step is not bound to Bizagi nor restricted by any special requirement of Bizagi (you normally do it yourself).

    If you need some guidance or an example on this step, refer to Certificates for SAML 2.0 authentication.

     

    To proceed with these guided steps, you need to have:

    One certificate to sign assertions (mandatory) in .P12 or .PFX  file format. You need The password for the certificate file, as defined by you when you exported the public and private keys.

    One certificate to encrypt messages (optional) in .P12 or .PFX  file format. You need The password for the certificate file, as defined by you when you exported the public and private keys. You will also need the key in CER or CRT format to be uploaded in Okta.

     

    note_pin

    You will need to be in charge of managing your installed certificates (keep track of its expiration date and other relevant maintenance aspects such as changes in your Identity Provider's endpoints).

     

     

    2. Register an authorized application in Okta

    Open the Okta portal as an administrator, select the Applications section and create a new App Integration.

     

    CP_Okta_10

     

    Select SAML 2.0:

     

    CP_Okta_11

     

    Give a name to the application:

     

    CP_Okta_12

     

    Configure the following parameters:

     

    Endpoints

    Single sign on URL: This is the destination in the SAML response https://accounts-<companyname>.bizagi.com/saml2/assertionConsumer

    Use this for Recipient URL and Destination URL: activate this option.

    Audience URI (SP Entity ID):  It is the Bizagi 's URL used for authentication, with the following format https://accounts-<companyname>.bizagi.com

    Default RealyState: Leavi it Empty.

    Name ID format: EmailAddress

    Application username: Email

     

    CP_Okta_13

     

    Now open the advanced settings and configure the following parameters:

     

    Response: Select Signed.

    Assertion Signature: Select Signed.

    Signature Algorithm: We recommend using RSA-SHA256. The same value must be configured in the Bizagi Customer Portal.

    Digest Algorithm: We recommend using RSA-SHA256.

    Assertion Encryption: Optional, if you select Encrypted you need a certificate.

    Encryption Algorithm: Select AES256-CBC if you activate Assertion Encryption.

    Key Transport Algorithm: Select RSA-1.5 if you activate Assertion Encryption.

    Encryption Certificate: upload your encryption certificate in cer o crt format, if you activate Assertion Encryption

    Enable Single Logout: Select Allow application to initiate Single Logout.

    Single Logout URL: It is the Bizagi's cloud logut URL https://accounts-<companyname>.bizagi.com/saml2/logout

    SP Issuer: It is the Bizagi 's URL used for authentication, with the following format https://accounts-<companyname>.bizagi.com

    Signature Certificate: Upload a certificate in cer o crt format. The same certificate must be uploaded in the Bizagi Customer Portal.

    Authentication context class: Select PasswordProtectedTransport.

    Honor force authentication: Select Yes.

    SAML Issuer ID: Leave the default value.

     

    CP_Okta_14

     

     

    Click Next, and then Finish.

     

    Open the Assignments tab and select users or groups of users that are going to be authenticated using this application.

     

    CP_Okta_15

     

    Finally, get the metadata URL. Open the Sign On tab and click Identity Provider Metadata.

     

    CP_Okta_16

     

    Copy the URL in the browser tab opened. It has the following format:

     

    https://[company].okta.com/app/[id]/sso/saml/metadata

     

    3. Configure your IdP in the Customer Portal

    After you configure the application in Okta, now you must access the Bizagi Customer Portal and register the Identity Provider. Follow the steps in Configure a SAML 2.0 IdP in the Customer Portal.

     

    To test your configuration we recommend that all users log out and opening a new tab using incognito mode, or use a different browser. If the configuration with a new IdP fails, you can Restore the authentication protocol.

     

    Troubleshooting

    In case the authenticator fails, you can review:

    Troubleshooting SAML message exchanges

    SAML Error codes

    In this article