Okta Integration TroubleshootingLast Updated: 05/24/2018 Introduced in Version:
-Create your Okta app:
-Applications -> Create New App. Choose Web and SAML 2.0, then click Create.
-Choose an app name, then click Next.
-Set ‘Single sign on URL’ to http://<BASE PORTAL URL>/SAML/AssertionConsumer.ashx – your base portal URL might be something like http://18.104.22.168/decisions/ .
-Set ‘Audience URI (SP Entity ID)’ to your base portal URL.
-Set ‘Name ID format’ to EmailAddress.
-Click Next, then select “I’m an Okta customer adding an internal app”, check the “This is an internal app that we have created” box, and click Finish.
-You should now be on the ‘Sign On’ tab. Stay on this page; the info here will be needed later.
-Install Decisions.SAML and Decisions.Okta modules, then restart SHM.
-Navigate to System -> Settings and select Okta Settings.
-Check the ‘Enabled’ checkbox.
-On the ‘Sign On’ tab of your Okta app, click the ‘View Setup Instructions’ button.
-From that page, get the ‘Identity Provider Single Sign-On URL’ and ‘X.509 Certificate’ values and enter them in the appropriate fields.
-The ‘SP Issuer ID’ field can be set to the value of ‘Identity Provider Issuer’ or any other value you choose.
-If you wish to automatically sync users & groups, or to manage Okta accounts from Decisions, you should also supply the Okta subdomain/URL and an API token at the top of Okta Settings.
-If your organization has “myOrganization.okta.com“, you can enter “myOrganization” here.
-Okta app administrator accounts can generate API tokens at Security -> API -> Tokens -> Create Token.
-Click OK to save settings.
-Set ‘EnableSingleSignOn’ to true in Settings.xml and restart SHM. Logins will now be handled by Okta.
– Customer was getting the below picture when trying to login to Decisions:
Answer: In the SAML Settings changing Signature Algorithm and Digest Algorithm to SHA1 will fix the following error on login.
– Customer is getting the below error on Logout. (If logout is configured in the Okta Settings:
Answer: Now, with the Okta Module it uses the SAML Module as well as it passes the configuration information right to it. There are 2 options for logout with the SAML Module:
1) No logout at all
2) Single Logout
There is a Checkbox on both sides (Okta and Decisions) you will need to check those and then fill in some fields with information. You will need a private key certificate in pfx/p12 format which is obtained from creating it (this should be something you or someone in the organization will need to do). The file name is about the filename of the private key cert, that was put on the server, that I just mentioned you or someone in the organization will need to do. Those can have passwords, so you should know that. And the URL field will be on the View Setup Instructions will take you to a tab of your Okta App.
Finding the Key Values and pfx Certificate:
Now for the certificate: You will need to ‘create a self-signed certificate with pfx ( or p12 or pkcs12). Here are a few links for that below:
- Install openssl package (if you are using Windows, download binaries here).
- Generate private key: openssl genrsa 2048 > private.pem
- Generate the self signed certificate: openssl req -x509 -days 1000 -new -key private.pem -out public.pem
- Create PFX: openssl pkcs12 -export -in public.pem -inkey private.pem -out mycert.pfx
Basic Questions and Answers:
- “…then is it possible that even users with admin rights could not log in as it is not assigned okta app”
- “also, can we login straight into decision e.g firstname.lastname@example.org is not assigned in okta app then can we login to decisions.”
- No, only SSO accounts can log in while SSO is enabled
- “If I do not assign any admin user in okta app, so after doing the okta integration if we want to revert back the changes can we do that”
- Yes, this is possible to do.
- “since admin is not assigned to okta app then admin gets blocked so how can we revert our changes back?”
- You will simply need to just turn off SSO in Settings.XML, then log in with the admin account and give admin rights to whatever okta accounts you want.