This article describes how Okta can be configured as a SAML based External-Identity provider that can authenticate Software AG Cloud users. Software AG Cloud supports only Service Provider Initiated SSO.
Submitted by: Sreejesh Pulukool, Software AG, August 2019
Applicable From: April 2019.
- Log on to OKTA as a user with Administrator privileges.
- If you are going to assign Software AG Cloud roles to OKTA users, create an OKTA group for each Software AG Cloud role to which you want to assign OKTA users, and then add OKTA users to the OKTA groups as necessary. You might want to use a convention like SAG_Cloud_group_name so you can easily filter the groups in the next step. Note the names of the OKTA groups you created and the names of the Software AG Cloud roles to which they correspond.
- Go to the Admin section, add an application, and select SAML 2.0 as the sign-on method.
- Provide an App name and click Next
- For the SAML settings, do the following:
- Paste the copied URI into the Single sign on URL field. Select the check box to specify the URI as both the recipient and the destination URL. Also paste the copied URI into the Audience URI field.
- Specify OKTA properties to pass to Software AG Cloud. OKTA must pass the Name ID format property to Software AG Cloud. Other OKTA properties are optional.
- Specify OKTA user attributes to pass to Software AG Cloud. When an OKTA user first logs in to Software AG Cloud, Software AG Cloud will save these attributes in the user’s profile.
The email address, first name, and last name attributes appear on the OKTA user interface by default, and OKTA must pass these attributes to Software AG Cloud. Other OKTA user attributes are optional. Software AG Cloud will accept attributes for locale, time zone, country, state, job title, company, date format, time format, and phone.
Provide attribute names for all required and optional attributes to pass to Software AG Cloud; these names will appear with their values in the Software AG Cloud user profiles. Note the attribute names for use in a later step.
- If you are going to assign Software AG Cloud roles to OKTA user based on OKTA group membership, go to the Group Attributes section, enter roles as the name of a group attribute, and specify a filter that matches the names of the OKTA groups you created (for example, SAG_Cloud).
- Finish creating the application.
- If you are going to assign Software AG Cloud roles to OKTA users, and you therefore created OKTA groups for the Software AG Cloud roles, you can assign users to the application by assigning the groups to the application. If you did not create OKTA groups, assign users to the application individually.
- You can import the OKTA SAML settings into Software AG Cloud instead of entering them there manually. Go to the newly created OKTA application, click Sign On, click Identity provider metadata, and then either copy the URI or save the metadata to file.