Okta SAML Integration

This article will help you to integrate Okta into Safous ZTNA service as the external Identity Provider for authentication. Before continuing the steps in this article, please ensure you already have:

• Know the basic information about Safous ZTNA SAML configuration here.
• Have an account in Okta Workforce Identity Cloud with Admin privilege.

Setup Okta SAML Application in Okta Admin Console

1. Login to https://<tenant>.okta.com/admin/apps/active.
2. Proceed to create a new app integration, and select SAML 2.0
   
3. Input your App Name and click Next
4. Fill in "Single sign-on URL" and "Audience URI" with these details:
   1. Single sign-on URL: https://login.<tenant>.ztna.safous.com:443/v1/auth/saml/1/callback
   2. Audience URI: the app name that you inputted previously
      
5. Configure Name ID Format and Attribute statements
   
6. You can check the attribute statement by clicking Preview the SAML Assertion. 
   
   If the attribute is right, then you can proceed by clicking Next.
7. In the Feedback section, fill in both questions and Click Finish.
   
8. In the Application that you just created, go to Assignments section and assign People/Groups that you want to use.
   
9. Please make sure to change user authentication policy into Okta Dashboard, to disable the MFA of the Okta login page since we only want to use Safous MFA. You can find this configuration on the Sign On tab, and scroll down to edit the user authentication option.
   
   
10. After that, still on the Sign On tab click View SAML setup instructions. We'll use the information in the instructions to set up IdP in your Safous Admin Portal.
    
    
    
11. In SAML setup instructions you can take note of these values that will be needed for configuring IdP in the Safous Admin Portal.
    • Identity Provider Single Sign-On URL, which is the SSO URL.
    • Identity Provider Issuer, which is the SSO Issuer.
    • X.509 Certificate, which is the CA Trusted Certificate.

--------------------------------------------------------------------------------------------

Setup IdP in Safous Admin Portal

1. Login to https://portal.safous.com/
2. Go to Settings > ZTNA
3. In Configurations, choose Identity Provider. Click New IdP, which will expand the form of IDP
   
4. Fill in the name, and ensure that the status is enabled (green).
   
5. Choose SAML for the Identity Provider Setting.
   
6. Fill in "Entity Issuer" with the Audience URI from your Okta Application
   
7. Fill in "SSO Issuer" with Identity Provider Issuer that you previously took notes on.
   
8. Fill in "SSO URL" with Identity Provider Single Sign-On URL that you previously took notes on.
   
9. Fill in both "Username attribute" and "Email Attribute" with your Attribute configuration in the Okta Application. In this example, we're using Email.
   
10. Fill in "CA Trusted Certificate" with X.509 Certificate that you previously took notes on.
    
11. For the rest of Safous ZTNA SAML configuration please refer to here.
12. Once you are done with the configuration, click Save
    
13. Verify your Redirect URI by comparing it with the Single Sign On URL in your Okta Application.
    You can find it by accessing this section: Your Okta Application > General > SAML Settings > Single Sign On URL.
    
    
14. If the Redirect URI is the same as the Single Sign On URL in your Okta Application, you can leave it as it is. But if it's not, then please change the Single Sign On URL in your Okta Application.
15. Set MFA mode to mandatory, set the method of enroll users to self service enrollment, and check activate users automatically when they complete enrollment is recommended settings.
    
16. If everything is configured correctly, you can log in to the user portal https://users.<xxxx>.ztna.safous.com and choose to log in With IdP, where you will see your SAML configuration.