Contents x
    Configure SSO with Okta
      • Print
      • Dark
        Light
      • PDF
      Contents

      Configure SSO with Okta

        • Print
        • Dark
          Light
        • PDF
        Article Summary

        3rd party identity provider applications
        This use case example is provided for your benefit, but we don't take responsibility for the screenshots, content, and functionality of these 3rd party applications.

        Prerequisite for VDI & DaaS

        Note
        This section is required only if you use ControlUp for VDI & DaaS and want to use LDAP for authorization to the VDI & DaaS web UI (or you are using a version of Real-Time DX lower than 9.0). Learn more about accessing the VDI & DaaS web UI for versions 9.0 and higher or versions lower than 9.0.

        You must configure Okta to send the required attributes from Active Directory. Not all of these attributes are added to your Okta user profiles by default when you setup the Active Directory integration with Okta.  

        If the required attributes are not already in your Okta user profiles, then you need to map the Active Directory attributes to your Okta user profiles.

        To map the required Active Directory attributes to your Okta user profile:

        1.  In Okta, go to Profile Editor and select the Okta User (default) user profile. SAML-Okta-Prereq-1
        2. Click Add Attribute.SAML-Okta-Prereq-2
        3. Add three new attributes:
          1. Display name = "Distinguished Name", Variable name = "dn".
          2. Display name = "SAM Account Name", Variable name = "samAccountName".
          3. Display name = "User Principal Name", Variable name = "userName". SAML-Okta-Prereq-4
        4. After saving the attributes, go back to your profiles and select your Active Directory.SAML-Okta-Prereq-5
        5. Click Mappings.SAML-Okta-Prereq-6
        6. Map the following Active Directory attributes to the new Okta user profile attributes you just created, and click Save Mappings.SAML-Okta-Prereq-7

        Set up the SAML Application in Okta

        1. Sign in to the Okta admin dashboard with a user who has the Create App Integration and go to Applications.SAML-Okta-1
        2. Click Create App Integration.SAML-Okta-2
        3. Select SAML 2.0 as the sign-in method and click Next.SAML-Okta-3
        4. Enter an App name of your choosing and click Next.SAML-Okta-4
        5. Under SAML Settings, fill out the following fields using values from your DEX SAML settings page.
          1. In the Single sign-on URL field, enter the Endpoint/Assertion Login URL from DEX.
          2. In the Audience URI field, enter the Relying Party Trust Identifier from DEX.SAML-Okta-5
        6. Optionally, if you want to use single logout:
          1. Click Show Advanced Settings.
          2. Download the Signing Certificate from DEX SAML settings and upload it into the Signature Certificate field in Okta.
          3. In the Single Logout URL field, enter the Assertion Logout URL from DEX.
          4. In the SP Issuer field in Okta, enter the Relying Party Trust Identifier from DEX.
        7. In the Map attributes, add the following attributes.SAML-Okta-DEXonlyAttributes
          • If you use ControlUp for VDI & DaaS and want to use want to use LDAP for authorization to the VDI & DaaS web UI (or you are using a Real-Time DX version lower than 9.0), then you must add the following attributes. This step is not required if you use a ControlUp account for authorization to the VDI & DaaS web UI. Learn more about accessing the VDI & DaaS web UI for versions 9.0 and higher or versions lower than 9.0. Note that the UPN, sAMAccountName, and distinguishedName attributes are based on the attribute mappings described in the prerequisite section above. Ensure that the Values in the attribute statements refer to the correct attributes in your Okta user profiles.SAML-Okta-VDIAttributes
        8. Optionally, if you want to use IdP-initiated SSO or assign roles to ControlUp users based on IdP user groups, you must set up additional attributes. See the attribute table for details.
        9. At the bottom of the page, click Next.SAML-Okta-7
        10. Select I'm an Okta customer adding an internal app and click Finish.SAML-Okta-8
        11. Under the Sign On tab, click View SAML setup instructions.SAML-Okta-9
        12. This page shows three values that you must copy or download and add to your DEX SAML settings page.SAML-Okta-10
          1. Copy the value Identity Provider Single Sign-On URL and paste it into the field IdP Login URL in DEX.
          2. Copy the value Identity Provider Issuer and paste it into the field Entity/Issuer ID in DEX.
          3. Click Download certificate and upload the certificate under the field IdP Signing Certificate in DEX. Note that Okta must be configured to sign the SAML assertion.

        After performing the steps above, you can now sign in to ControlUp with SAML using the SAML URL. You can find the SAML URL at the top of your DEX SAML settings page

        Troubleshooting

        If SAML isn't working correctly after following the procedure above, it's possible that the SAML assertion isn't sending the correct information. To preview the SAML assertion, edit the application and go back to the page where you added the attribute statement, and click Preview the SAML Assertion. Note that your Okta user must be assigned to the application to preview the assertion.SAML-Okta-troubleshooting

        Compare the generated SAML assertion against the attribute table and make sure that:

        • The Attribute Name of each attribute is written exactly as it appears in the attribute table.
        • The AttributeValue of each attribute contains the correct information about the user.
        Was this article helpful?
        What's Next