IdP Example: Okta¶
This tutorial describes the process for configuring Okta and Skuid NLX for single sign-on using the SAML 2.0 protocol. It requires a working knowledge of SSO in Skuid and Okta.
We’ll need to navigate back and forth between Skuid and Okta for this process:
- First, create an IdP connection in Skuid to generate an ACS URL and service provider entity ID
- Next, create a SAML application in Okta using those values and configure the SAML attributes it sends
- Finally, return to Skuid to create an identity mapping so users can be matched via information in the SAML assertion
Creating an IdP connection in Skuid¶
In your Skuid NLX site:
- Navigate to Settings > Single Sign-on.
- Click Create identity provider or, if some IdP connections already exist, click Create in the Identity Providers section.
- Give the IdP connection a name, like Okta.
- Confirm the name by clicking Create.
- Copy the ACS URL and service provider entity ID values for Okta.
Creating an Okta application and configuring SAML attributes¶
Creating a service provider entry to retrieve IdP metadata¶
In your Okta Admin dashboard:
- Navigate to Applications > Applications.
- Click Create App Integration.
- Select SAML 2.0 as your sign on method.
- Click Next.
Now, begin configuring the SAML integration app settings:
- Fill out the App name, App logo, and App visibility. Make sure to name the app something recognizable, like “Skuid NLX - Company Wide.”
- Click Next.
- Update your SAML settings to point to the appropriate Skuid values:
- Single Sign-On URL: Insert the Assertion Consumer Service (ACS) URL from Skuid NLX.
- Check Use this for Recipient URL and Destination URL
- Audience URI (SP Entity ID): Insert the Audience URI / Service Provider Entity ID / Metadata URL from Skuid NLX.
- Single Sign-On URL: Insert the Assertion Consumer Service (ACS) URL from Skuid NLX.
- Click Next and then Finish to save these changes.
- Fill out the Feedback tab as appropriate and click Finish.
Configuring user attributes¶
To facilitate user provisioning and ensure all relevant user attributes are passed from Okta to Skuid during a SAML assertion, we recommend configuring SAML attributes within your Okta application.
Configure these as needed for your organization following Okta’s documentation, or consider using the suggested attributes below:
Navigate back to your application’s details within Applications > Applications.
Click the General tab.
Click Edit within the SAML Settings pane.
Click Next to open the Configure SAML settings.
Set the Application username to send the user data you’d expect within the subject name identifier field of the SAML assertion.
For most Skuid implementations, using email or a custom federation ID is recommended. For custom federation ID formats, you can use an Okta expression when this field is set to Custom.
Update your Attribute Statements setting to contain the following:
Note
You may leave the Name format as Unspecified for all of the below.
Name Value User.FirstName
user.firstName
User.LastName
user.lastName
User.Email
user.email
User.Username
Use an Okta expression that matches your standardized username format. One common formula concatenates first and last names with a dot between the two:
${user.firstName}.${user.lastName}
User.FederationId
Use an Okta expression that matches your standardized federation ID format. One common formula concatenates first and last names with a dot between the two:
${user.firstName}.${user.lastName}
Click Next and then click Finish to save your settings.
Okta is now configured to send the proper attributes for Skuid.
Retrieving the metadata file for Skuid¶
With the configuration complete on the Okta side, a metadata file becomes available. This file provides the rest of the information Skuid needs for the IdP connection.
Navigate back to your application’s details within Applications > Applications.
Click the Sign On tab, and find the SAML Signing Certificates section.
In the SHA-2 row, click Actions > View IdP metadata.
Copy the URL that points to this metadata XML. It should look similar to
https://<Okta Domain>/app/<App integration Id>/sso/saml/metadata
Note
It’s also possible to save this XML file and upload to Skuid, however the instructions below use the URL.
Complete IdP setup and identity mapping¶
Updating the IdP connection with metadata¶
In your Skuid NLX site:
- Navigate back to your IdP connection’s details within Settings > Single sign-on.
- In the Identity provider details section, click Add details.
- Select Import metadata file from specified URL.
- Paste the IdP metadata URL copied earlier into the field.
- Click Import.
Add identity mapping¶
Once SAML metadata is loaded, you must create an identity mapping so Skuid can identify users based on the information sent by Okta.
This information should map to the user attributes you configured earlier within the settings in the General section in SAML settings pane
Using a subject name identifier¶
If you set the Application username in Okta to a format available to match within Skuid (like email or federation ID), you can use the subject name identifier.
Note
This mapping example assumes you’ve set the Okta application username to equal a user’s email. If this isn’t the case, replace email with the attribute you chose in Okta.
In the Identity mapping section, click Add mapping.
Configure the mapping:
[ Subject name identifier ] with a format of [ Unspecified ] matches Skuid user [ Email ]
Indicate whether or not the match is Case-sensitive.
Click Save.
Using a SAML attribute¶
You can also match users based on a particular SAML attribute.
Note
This mapping example assumes you’re using the user email attribute configured in the the SAML attributes instructions above.
In the Identity mapping section, click Add mapping.
Configure the mapping:
[ SAML attribute ] [ User.Email ] matches Skuid user [ Email ]
Indicate whether or not the match is Case-sensitive.
Click Save.
Make the IdP available as a login option¶
With all setup options complete, enable the Available as login option toggle and then click Save to display the newly created IdP connection as a login option to your users.
Troubleshooting¶
SAML Login error: User not found¶
This error indicates that the attributes sent by Okta did not match an existing Skuid user and user provisioning is not enabled.
First ensure your identity location and attribute settings are correct:
- Ensure that Okta is passing the necessary attributes to Skuid.
- Ensure the identity mapping in Skuid’s IdP connection matches Okta’s settings.
If this error occurred and you intended for a new user to be provisioned, go the IdP connection details, click the Provisioning tab, and enable Just-in-time user provisioning.