IdP Example: Okta

Let’s walk through the process of configuring Okta and Skuid Platform for SAML. Although the configuration may vary, your IdP will likely have similar steps.

Configuration

In Okta

First, configure settings in Okta to obtain its IdP metadata file:

  1. Within the Admin dashboard, navigate to Applications > Applications.
  2. Click Add Application.
  3. Click Create New App.
  4. Select SAML 2.0 as your sign on method.
  5. Click Create.

Now, begin configuring the SAML integration app settings:

  1. Fill out the App name, App logo, and App visibility. Make sure to name the app something recognizable like Skuid Platform - Company Wide.
  2. Click Next.
  3. In Configure SAML, under SAML settings, you’ll need to enter some dummy data so you can access the IdP metadata file. This metadata file makes the Skuid-side configuration incredibly simple. Once you’ve downloaded the IdP metadata file, you must come back to correct the data entered here. For now, use https://placeholder.com for both of these fields.
    • Single Sign-On URL
    • Audience URI (SP Entity ID)
  4. Click Next.
  5. Fill out the Feedback tab as appropriate and click Finish.
  6. On the Okta app’s configuration page, within the Sign On tab, there is a box in the Settings pane with the following link: Identity Provider metadata is available if this application supports dynamic configuration.
  7. Click Identity Provider metadata to download the IdP metadata file.

You’ve completed the first steps in Okta. Time to configure Skuid Platform using the downloaded IdP metadata file, and after that you’ll return to Okta to correct the placeholder settings entered here.

In Skuid

  1. Log in to your Skuid Platform site.
  2. Navigate to Configure > Site > Single Sign-on.
  3. Click to the edit icon beside SAML Enabled.
  4. Click the SAML Enabled checkbox to enable SSO.
  5. Click New Single Sign On Config.
  6. Click Import from Identity Provider Metadata File.
  7. Click Upload metadata file…
  8. Select the downloaded IdP metadata file.

After selecting the metadata file, Skuid Platform will automatically populate all of its required fields—saving you a lot of configuration work.

You’ll now see a new record named Okta within your Single Sign On Settings table.

To obtain the Audience URI and ACS URL that Skuid has generated for this SSO configuration:

  1. Click the Settings icon beside the Okta SSO record.
  2. Copy the URLs in the following fields:
    • Assertion Consumer Service (ACS) URL
    • Audience URI / Service Provider Entity ID / Metadata URL

Both of these URLs are necessary for the Okta configuration in the next section.

That’s it for Skuid Platform settings. Now you’ll need to correctly configure your Skuid Platform SAML app settings in Okta.

In Okta

Return to the Application settings for the app you configured in the first section.

  1. Under the General tab within the SAML Settings pane, click Edit.
  2. Click Next to proceed to the Configure SAML step.
  3. Update your SAML settings:
    • Single Sign-On URL: Insert your Assertion Consumer Service (ACS) URL from Skuid Platform.

Audience URI (SP Entity ID): Insert your Audience URI / Service Provider Entity ID / Metadata URL from Skuid Platform.

User Provisioning

Make sure user provisioning is enabled within the Okta SSO configuration on Skuid Platform.

Note: You may use Okta’s group functionality to streamline assigning Skuid Platform to your new users.

In Okta

  1. Navigate to Applications > Applications.

  2. Click your Skuid Platform app.

  3. Click to the General tab.

  4. Click Edit in the SAML Settings pane.

  5. Click Next to open the Configure SAML settings.

  6. (Optional) Set the Application username field to the appropriate value to determine the default username when adding users. You may use an Okta expression when this field is set to Custom.

  7. Update your Attribute Statements setting to contain the following:

    • You may leave the Name format as Unspecified for all of the below.

    Name :: Value

    User.FirstName :: user.firstName

    User.LastName :: user.lastName

    User.Email :: user.email

    User.Username :: In this field, use an Okta expression that matches your standardized username format. One common formula concatenates first and last names with a dot between the two: ${user.firstName}.${user.lastName}

    See Okta’s documentation for more on Okta expressions.

  8. Click Next and then click Finish to save your settings.

Okta is now configured to send the proper attributes for user provisioning. You may click Preview the SAML Assertion to ensure that your fields are conveyed properly with the assertion.

To add new users

First, add the user to the Okta directory.

  1. Navigate to Directory > People.
  2. Click Add Person.
  3. Fill in the the necessary fields:
    • First name
    • Last name
    • Username & Primary email: These fields must be in the form of an email address and will typically match.
    • Groups: If configured, select an appropriate group for the user in order to automatically give them access to Okta SSO apps (including Skuid Platform).
  4. Check Send user activation email now.

The credentials entered above apply to the user’s Okta account.

The user will receive an activation email for their Okta account. They must click the activation link to set their Okta password and basic security settings.

Assigning the app

After a user has been created, they’ll need to be assigned a Skuid Platform app previously configured in Okta. This can happen automatically through an Okta group, or it can be done manually:

  1. Navigate to Directory > People.
  2. Click on the new user’s name.
  3. Click Assign Applications.
  4. Beside your Skuid Platform app, click Assign.
  5. Enter the username you wish the new user to have on Skuid Platform.
  6. Click Save and Go Back.
  7. Click Done.

When your new user logs in via Okta—or via the Login with SAML option on your Skuid site login page—a new user record will be created within Skuid Platform, and the user will be logged in.