Okta example using SAML

Okta is an identity management service. It gives users access to various software with one successful Okta log in. This example provides step-by-step instructions on how to set up the application in Okta and in the MFT Server Manager interface. When complete, an MFT Server user will be able to log in to the MFT Server Web Client application using Okta. The images provided under the Okta Instructions are taken from the Okta Admin console. Most images are snippets and not the complete page.

 

Note: MFT Server supports SAML version 2.0.

 

Okta Instructions

 

  1. Sign in to the Okta admin console.

     

  2. Using the left sidebar menu, navigate to Applications > Applications.

     

  3. Click on the Create App Integration button.

     

  4. In the Create a new app integration pop-up dialog, choose SAML 2.0 and click Next.

     

    In the CreateSAML Integration dialog:

     

  5. (1) General Settings - enter an App name (for example: MFT Server Web Client). See the image below. Click Next.

 

clip0413

 

  1. (2) Configure SAML, enter values for the following:  (See the image below).

     

    • Single sign-on URL - use the URL format: http://<hostname>:<port>/sso/<domain_name>/login (for example: http://localhost:8880/sso/Domain2/login).

       

    • Audience URI (SP Entity ID) - any ID (for example: jscape).

       

    • Name ID format - This value should remain Unspecified. Click Next.

 

clip0414

 

  1. (3) Feedback - select I'm an Okta customer adding an internal app, then click Finish. See the image below.

 

clip0415

 

The page will refresh displaying the App name you entered previously, and the Sign On tab will be active. See the image below.

 

  1. On this page, scroll down to the SAML Signing Certificates section. then click on View SAML setup instructions.

 

clip0416

 

 

 

  1. A new page will open with Idp details. Copy the Identity Provider Single Sign-On URL value and download the X.509 Certificate. You will need the URL and certificate when configuring Okta in the MFT Server Manager application.

     

  2. Using the left menu, navigate back to Applications > Applications.

     

  3. Click the Assign Users to App button. Check the following:

     

    •  Under the Application & Label list, check the application you specified in Step 5.

       

    • Under the Person & Username, check the User who will be accessing the MFT Server Web Client. See the image below. Click Next.

 

clip0417

 

  1. Click on the Confirm Assignments button.

 

This completes the Okta configuration.

 

MFT Server Instructions:

 

Launch the MFT Server Manager interface.

 

Click on Keys > Host Keys. Click on Import, then select Import File from the dropdown list. The Import Public Key dialog will appear.

 

Key alias - enter the desired alias name.

 

Key file -  enter the file name you downloaded in Step 9 of the Okta instructions.

 

Edit the domain the Okta user will have access to. (Click on Domains > View Domains, then select the domain to edit.)

 

Navigate to ACCOUNTS > Authentication > Web SSO tab.

 

Sign-in URL - paste the URL you copied in Step 9 of the Okta instructions.

 

Sign-out URL - enter the desired sign-out URL (for example: https://localhost:8880).

 

Verification Certificate - select the Host Key that you imported into Keys > Host Keys.

Create user if not found using template - check this box which will allow the system to create the user if they don't already exist in the Users table.

 

Log in to the MFT Server Web Client using a URL with this format: http://<host>:port/sso/<domain>/login (For example: http://localhost:8880/sso/Domain2/login) .

 

If you have already authenticated with the Okta identity provider, you will be automatically logged in to the MFT Server Web Client  application.

 

If you have not authenticated with the Okta identity provider, you will be presented with the Okta log in page.  If you successfully authenticate, the MFT Server Web Client  application will load.

 

Note: New user - If the user logging in is a new user, not yet in YourDomain > ACCOUNTS > Users> Users grid, the same behavior will occur as described above only if the Create user if not found using template field is checked, as depicted in the image below. When checked, the user is automatically added to the Users table after the first-time they successfully authenticate.

If this field is checked, you must consider whether you will allow a secure or non-secure connection, which is determined by a field in the Template specified. The field is named Require secured connection. When checked (for new templates, it is checked by default), only connections using HTTPS are allowed.

 

When the Create user if not found using template field is not checked, the user will be presented with the standard MFT Server Web Client  log in page and they will not be able to log in using Okta SSO. If Allow non SSO logins is not checked (as depicted in the image below), then only Okta SSO log in's will be allowed.

 

clip0418