Example of SAML configuration with Okta

This page describes the steps to enable SAML authentication in Cyberwatch using Okta as the identity provider.

It presents a minimal configuration for the SAML service to function.

Prerequisites

The process assumes that you have access to the Okta administration console with sufficient rights to create a SAML application, and to manage user roles and groups in the case of advanced configuration.

Creating the SAML application in Okta

In the Okta admin console, go to Applications > Applications. Then you will need to:

• Click on Create App Integration.
• Select SAML 2.0.
• Click on Next.
• Specify the general information of the application, then click Next.
• Specify the following SAML configuration information:
  • Application name: enter Cyberwatch
  • Single sign-on URL: ACS URL in Cyberwatch (leave the “Use this for Recipient URL and Destination URL” box checked)
  • Audience URI (SP EntityID): Entity ID in Cyberwatch
  • Response: select Signed
  • Attribute Statements:
    • firstName / Basic / user.firstName
    • lastName / Basic / user.lastName
    • email / Basic / user.email

For more information on creating the application, please refer to the Okta documentation https://help.okta.com/oie/en-us/content/topics/apps/apps_app_integration_wizard_saml.htm

Configuration of the Service Provider and Identity Provider in Cyberwatch

Start by configuring SAML in Cyberwatch, go to Administration > Identity provider.

Here’s the English translation of the steps you provided:

1. In the “Name ID Format” field, enter urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
2. In the “Login Button Text” field, enter the desired value, for example “Okta SAML Login”. This will be used as the label for the SAML login button on the Cyberwatch authentication page.
3. In the “SP Entity ID” field, name the trust party identifier of your IDP, for example “Cyberwatch ID”
4. For “IDP Metadata URL”, enter the “Metadata URL” value from the Okta SAML configuration
5. Apply to automatically retrieve the IDP certificate
6. In the “IDP Entity ID” field, enter the “Issuer” value from the Okta SAML configuration
7. In the “IDP SSO Target URL” field, enter the “Sign On URL” value from the Okta SAML configuration
8. Check “Request Single Logout”
9. In the “IDP Single Logout Target URL” field, enter the “Sign Out URL” value from the Okta SAML configuration
10. Save

Optional - Advanced configuration

Show advanced configuration details

To configure roles, groups, and other attributes in Cyberwatch:

1. Define groups in Okta > Directory > Groups > Add Group. Add users to the group.

Add users to the group.

Note: These groups must be created in Cyberwatch for the mapping to be functional.

1. Define roles in Okta > Directory > Profile Editor > Cyberwatch User > Add Attribute:
   • DisplayName: Role
   • Check “Attribute Required”
   • Attribute Type: Group
   • Specify the Attribute Members

Assign user groups in the SAML application:

• Okta > Applications > name of the SAML app
• Assignments tab > Assign > Assign to Groups

Add role and group claims in the application:

• Okta > Applications > name of the SAML app > General tab > SAML Settings > Edit
• Configure SAML > Attribute Statements:
  • description / Basic / user.title
  • role / Basic / appuser.role
• Group Attribute Statements:
  • memberOf / Unspecified / Matches regex .*
• Click on Next > Finish

For more information on creating roles and groups, please refer to the Okta documentation:

• Roles: https://help.okta.com/oie/en-us/content/topics/apps/define-attribute-statements.htm

• Groups: https://help.okta.com/oie/en-us/content/topics/apps/define-group-attribute-statements.htm

Make the necessary configurations in Cyberwatch at the identity provider level. The connection should be correctly established, retrieving the attributes configured in Cyberwatch.

Verifying the functionality

Open a private browsing window and access the Cyberwatch authentication page. A “SAML Okta Login” button should be displayed.

Click on it, the browser redirects to the Okta authentication page if the configurations are valid.

Authenticate with your credentials, the browser redirects you and authenticates you on Cyberwatch.

Verify the absence of an existing local/LDAP account in Cyberwatch using the same email address to avoid an error during login.

Troubleshooting

Don’t hesitate to contact Cyberwatch support for any technical assistance.