Okta IdP with Atlassian

OPSWAT MetaAccess can be easily integrated with an existing Okta Atlassian integration to ensure that a device is compliant with the organization's security policy before it is granted access to Atlassian. This ensures that the device is not only authenticated by the IdP, but also tested for risks and vulnerabilities such as infections or unpatched versions of operating systems, BEFORE it access an organization's cloud services.

To get started with implementing OPSWAT MetaAccess integration to enforce device posture check before granting a device to access Atlassian with Okta Single Sign On (SSO) service, you set up SSO between Okta and Atlassian manually as below steps even you already have SSO set up for Atlassian on Okta. The built-in Atlassian application doesn't allow you to modify a LoginURL of Atlassian.

Reference: How to configure Atlassian SAML Single Sign On with an Identity Provider

  1. Log into the Okta console as an Administrator

  2. Switch to Admin view, navigate to Application

    images/download/attachments/31845066/image2017-9-11_15-38-15.png

    images/download/attachments/31845066/image2017-9-11_15-40-13.png

  3. Click Add Application

    images/download/attachments/31845066/image2017-9-11_15-41-38.png

  4. Click "Create New App" button to create an application manually

    images/download/attachments/31845066/image2017-9-11_15-42-29.png
  5. Select SAML 2.0 option and click Create

    images/download/attachments/31845066/image2017-9-11_15-45-3.png

  6. On the step 1 General Settings, fill in the app name and upload a new logo for the app if needed, then click Next

    images/download/attachments/31845066/image2017-12-8_13-22-4.png
  7. On the step 2 Configure SAML, fill in the below information and then click Next

    1. Single sign-on URL is a Atlassian single sign-on post back URL: https://id.atlassian.com/login

    2. Audience URL (SP Entity ID): https://id.atlassian.com/login

    3. Default RelayState: your organization's URL, for example: https://your_domain.atlassian.net

    4. Name ID format: Unspecified

    5. Application username: Okta username

    6. In Attribute Statement, you need to add 3 more attributes as the below

      images/download/attachments/31845066/image2017-12-8_13-44-11.png

  8. On the step 3 Feedback, select the option "I'm an Okta customer adding an internal app" and click Finish

    images/download/attachments/31845066/image2017-9-12_15-42-0.png
  9. On Sign On tab, you can view Setup instructions to get IdP metadata and follow guideline here to set up single sign-on settings on Atlassian.

  10. On Assignments tab, click on Assign to assign person you want to allow to access this application

images/download/attachments/31845066/image2017-10-17_15-7-17.png

After configuring SSO, you should test it out to make sure that SSO works as expected.

Now it's the time you can implement integration MetaAccess with your Okta Atlassian by following the below steps. You can learn more details for each step here at 3.1.1. How to set it up?

Step 1. Enable Access Control on your MetaAccess account

  1. Login to the MetaAccess console

  2. Navigate to Access Control and then Configurations

  3. Check on the box "Enable access control".

  4. Click SAVE.

    images/download/attachments/31845066/image2018-3-9_13-42-9.png

Step 2. Import Identity Providers and Applications

  1. Download Okta IdP: the next step is importing an Okta X.509 certificate to MetaAccess. This allows MetaAccess to verify users signing though a trusted IdP, Okta. Each identity provider has a unique X.509 certificate. Download the Okta X509 certificate by following these steps:

    1. Login to Okta as Administrator

    2. Switch to Admin mode

      images/download/attachments/31845066/image2017-9-11_15-38-15.png
    3. Go to Applications dashboard

      images/download/attachments/31845066/image2017-9-11_15-40-13.png
    4. Select the Atlassian application which you just added above

    5. Go to Sign On tab and click View Setup Instruction
      images/download/attachments/31845066/image2017-10-17_15-11-17.png


    6. Search for X.509 Certificate and c lick Download certificate to download Okta certificate

      images/download/attachments/31845066/image2017-10-17_15-12-13.png

  2. IdP Login URL: this is an embed link which Okta generated for the app to embed outside Okta. You can find this URL on General tab, scroll down to the App Embed Link section images/download/attachments/31845066/image2017-12-8_13-50-54.png

  3. Atlassian LoginURL: is a Atlassian single sign-on post back URL of your organization's Atlassian, for example https://id.atlassian.com/login

  4. Collect Atlassian Logout URL: you can find this URL inside of Atlassian

    1. Log into your organization's Atlassian account

    2. Click on your avatar, right click on Log Out and choose Copy link address to get log out URL

      images/download/attachments/31845066/image2017-12-8_13-48-2.png

    3. Store the log out URL in somewhere for later use

  5. Add the Okta Identity Provider. If you already have Okta IdP settings on your MetaAccess account, go to 5 to add Atlassian application.

    1. Login to the MetaAccess console

    2. Navigate to Access Control and then Configurations

    3. On the Identity Providers tab, click "Add New Identity Provider" to add your IdP

    4. Fill in required fields for the Identity Provider

      1. IdP Name: an IdP name, for example: Okta

      2. IdP Certificate: upload Okta certificate you downloaded in Step 2.1

        images/download/attachments/31845066/image2018-3-9_13-45-29.png

    5. Click Add IDP

    6. Click SAVE

  6. Add Atlassian application:

    1. Expand the Okta IdP settings you have just added in Step 2.4 above.

    2. Click Add New Application

    3. Enter required field

      1. Application: application name, for example: Atlassian

      2. Login URL: application login URL which you have from Step 2.2

      3. Logout URL: application logout URL which you have from Step 2.3

      4. Access Mode: pick an access mode you prefer. See details on the access modes at Step 2. Import Identity Providers and Applications

        images/download/attachments/31845066/image2017-12-8_13-53-1.png
    4. Click SAVE

  7. After saving your changes sucessfully, click the Setup Instructions button of the Atlassian application you have just added and then copy the URL MetaAccess generated there. This URL is used to replace Atlassian login URL on Okta in Step 4.

    images/download/attachments/31845066/image2017-12-8_13-54-0.png

Note: you can add Atlassian application (step 2.5) when you add Okta IdP settings in step 2.4.

Step 3. Configure Access Rules

  1. On MetaAccess console, navigate to Access Control and then Configurations

  2. On Access Rules tab, click "ADD NEW RULE" to add a new rule for this application OR you can update existing access rules to add this application

  3. With a new access rule, you need to specify how you would like to block/allow access a device from the application

    1. Rule name: a rule name, for example Block non-compliant devices

    2. Action: Block or Allow

    3. Configure conditions to do the action. Details at Step 3. Configure Access Rules

  4. Click ADD RULE

    images/download/attachments/31845066/image2018-3-9_13-50-48.png

Step 4. Update Applications settings on Identity Provider

  1. Login to Okta as administrator

  2. Go to Applications dashboard

  3. Select Atlassian application

  4. On General tab, click Edit on the SAML Settings box

  5. Click Next at the first step

  6. Replace Single sign on URL and Audience URL with the MetaAccess URL which you got from Step 2.6

    images/download/attachments/31845066/image2017-12-8_13-55-23.png

  7. Click Next and Finish

Step 5. Configure SSO settings on applications

  1. On MetaAccess console, navigate to Access Control > Configurations

  2. Download OPSWAT certificate

    images/download/attachments/31845066/image2018-3-5_16-12-21.png

  3. Login to Atlassian as an administrator

  4. Navigate to Atlassian Site Administration > Your organization > SAML single sign-on.

  5. Click Edit Configuration

  6. Replace Public x509-certificate with the OPSWAT certificate which OPSWAT generated for your account (you downloaded in step 5.1)

    images/download/attachments/31845066/image2017-10-17_15-48-52.png

  7. Click Save Changes

Step 6: Test your integration

Follow guideline at Step 6: Test your integration to test your integration to verify if it works as your expectation.

DONE! CONGRATULATIONS.