3.2.1.3.1.2.1 Okta

  1. On the Okta Admin login splash page choose “Create a new app” images/download/attachments/4357181/okta-new-app.png

  2. Choose Web and SAML 2.0 images/download/attachments/4357181/okta-new-app-02.png

  3. In the “App name” field, fill in “MetaAccess” or something similar. You can also upload a logo if you like. Do not check the “App visibility” checkboxes. Click Next to continue. images/download/attachments/4357181/okta-app-name.png

  4. Under the “SAML Settings” , fill in the “Single Sign on URL” field with a properly formatted URL as a placeholder. NOTE: You will change this later after retrieving the applicable value from MetaAccess.

  5. Leave the box checked next to “Use this for Recipient URL and Destination URL”. Leave the box unchecked, next to “Allow this app to request other SSO URLs“

  6. Fill in the Audience URI: eg “metaaccess-sp”

  7. Default setting are fine for “Default Relay State”, “Name ID format”, “Application username”, and “Update application username on”

  8. Skip the first “Name” and “Value” fields

  9. Under “GROUP ATTRIBUTE STATEMENTS (OPTIONAL)”, fill in the “Name” and “Filter” fields.

    1. For “Name” enter whatever you want but save the value to use later in the MA UI”, eg: “groups”

    2. Under Filter , choose “Matches regex” and “.*”

    3. Advanced users may choose other options but it’s recommended to use these setting unless you’re very familiar with Okta.

    images/download/attachments/4357181/okta-saml-setup.png

  10. Click “Next” to continue. images/download/attachments/4357181/okta-saml-next.png

  11. The next page is just feedback for Okta, and has no functional impact. You can choose “I'm an Okta customer adding an internal app”, then leave all the other fields blank and click “Finish”.

  12. On the next page (under the “Sign On” tab), in the Info Box labeled “SAML 2.0” there is a link called “Identity Provider metadata”. Right click and choose “Save Link As” to download the metadata XML file you will import into MetaAccess. images/download/attachments/4357181/okta-saml-idp-metadata-link.png

  13. Log into your MetaAccess Console at metaaccess.com.

  14. Navigate to User Management > SSO > SDP and check “Enable Single Sign On” images/download/attachments/4357181/meta-access-saml-01.png

  15. Next to “Import configuration from XML Metadata file”, click “Choose File” and upload the “metadata” file you just downloaded from Okta. This should automatically fill in the “Current Certificate”, “Issuer”, and “IdP SSO URL” fields

  16. In the “IdP Name” field, enter “Okta” or some other string. This is only for reference in the MetaAccess UI.

  17. Leave the Logout URL and Error URL fields blank images/download/attachments/4357181/meta-access-saml-02.png

  18. At the bottom, click “Add Group Attribute” and enter the value the value from the “Name” field in Okta. Presumably something like “group”. images/download/attachments/4357181/meta-access-saml-03.png

  19. Scroll to the top of the page, click “Save” and enter your MetaAccess admin PIN

  20. At the bottom of the page you will see a new value called “MetaAccess Login URL”. Click “Copy to clipboard” images/download/attachments/4357181/meta-access-saml-04.png

  21. Switch back to Okta, click the “General” tab, scroll down to “SAML Settings” and click “Edit” images/download/attachments/4357181/okta-saml-idp-sso-edit.png

  22. Click “Next” on the first panel images/download/attachments/4357181/okta-saml-idp-sso-next.png

  23. There will be a placeholder URL under “Single sign on URL”. Replace this with the URL you just copied from MetaAccess. images/download/attachments/4357181/image-20201019-210036.png images/download/attachments/4357181/image-20201019-210138.png

  24. Scroll to the bottom and click “Next” and then “Finish” images/download/attachments/4357181/okta-saml-idp-sso-next-01.png images/download/attachments/4357181/okta-saml-idp-sso-finish.png

  25. In the navigation bar on the top, mouse over Applications and click the Applications link. Then click the Gear icon next to the MetaAccess app, and choose “Assign to Groups”. images/download/attachments/4357181/okta-app-gear.png

  26. On the groups panel, you can decide which groups you want to use for assigning SDP access in the MetaAccess console. Click “Assign” next to each SDP user group. Note: You will need to record the selected group names for use in MetaAccess. Please copy and paste the group names to minimize human error!

  27. Click “Done.” images/download/attachments/4357181/image-20201019-211448.png

  28. Navigate to the MetaAccess console at metaaccess.com, then go to User Management > IdP Groups, and click “Add”.

  29. Fill in a group name you copied from Okta, enter your PIN and choose Add. Your new group will show up in the “IdP Groups” section. images/download/attachments/4357181/image-20201019-211655.png

  30. Repeat for each SDP user group in Okta.

  31. When you are ready to assign your new groups to protected applications, go to Secure Access > Protected Apps, click the “Assign” link next to your desired application(s)

  32. On the “Assign End Users/IdP Groups to Protected Applications” Move groups “Available Users/Groups” to “Selected Users/Groups” to assign access, then enter your PIN again and choose Enter. images/download/attachments/4357181/meta-access-assign-groups.png

  33. Log back in to the Okta console as an end user and click on the “MetaAccess” application. images/download/attachments/4357181/okta-app-user-page.png