Okta SAML
Prev  Access management  Next

Okta SAML

The following manual configuration creates a SAML SSO configuration for your Enterprise organization.

Prerequisites

  • Owner or admin role in an Enterprise organization

  • Service provider certificate and private key that you create

Supported features

This configuration supports the following:

  • Service Provider initiated SSO

  • Single Log Out [optional]

Configuration steps

Before configuring SSO, you need to assign a namespace and create a Service Provider certificate and private key. These important steps provide information you need to enter later.

Create your namespace:

  1. Go to Organization > SSO.

  2. Under Namespace, enter the namespace you want for your organization. For example, acme_corp. Your organization members enter this namespace when they log in via SSO.

  3. Under SSO type, select SAML 2.0.

Convert your Axelor Connect Service Provider certificate into a .pem file:

  1. Find the certificate under Service Provider Certificate.

  2. Highlight and copy all of the certificate.

  3. Paste the certificate into a plain text editor.

    1. Windows: use Notepad.

    2. Mac OS: use TextEdit.

  4. Save the file as a .pem file

    [Caution] Caution

    You may need to select All files ( *.* ) or rename the file after saving to change the extension to .pem.

This creates one .pem file. Locate the .pem file and have it ready to upload into Okta later.

Steps on Okta
  1. Log in to Okta and go to Admin > Applications > Applications.

  2. Click Create app integration and select SAML 2.0.

  3. Name your app and upload your icon.

  4. Click Next.

  5. Configure the following SAML settings:

    Single sign-on URL

    You can find this URL in the Redirect URL field of the SSO configuration in your Axelor Connect organization. Be sure to replace {namespace} with your actual namespace.

    Example: https://www.make.com/sso/saml/examplenamespace

    Audience URI (SP Entity ID)

    Add /metadata.xml to the URL in the Redirect URL field of the SSO configuration in your Axelor Connect organization.

    Example: https://www.make.com/sso/saml/examplenamespace/metadata.mxl

    Default RelayState

    Leave this field blank

    Name ID format

    Select EmailAddress

    Application username

    Select Okta username

    Update application username on

    Select Create and update

  6. Click Show advanced settings and enter the following:

    Response

    Select Signed

    Assertion signature

    Select Signed

    Signature algorithm

    Select RSA-SHA256

    Digest algorithm

    Select SHA256

    Assertion encryption

    Select Unencrypted

    [Note] Note

    Optional

    If you want to encrypt assertions, you can select Encrypted and enter the following:

    Encryption algorithm

    AES256-CBC

    Key transport algorithm

    RSA-OAEP

    Encryption certificate

    Upload the .pem file you created earlier.

    Signature certificate

    Upload a .pem file of the Service Provider Certificate. This must be the same certificate as the Service Provider Certificate field of your Axelor Connect SSO configuration tab.

    Enable Single Logout

    Leave unchecked

    Signed requests

    Optional

    Other requestable SSO URLs

    Optional

    Assertion inline hook

    Select None (disable)

    Authentication context class

    Select PasswordProtectedTransport

    Honor force authentication

    Select Yes

    SAML issuer ID

    http://www.okta.com/${org.externalKey}

  7. Enter the following attributes and click Next.

    Name

    Name format

    Value

    profileFirstName

    Unspecified

    user.firstName

    profileLastName

    Unspecified

    user.lastName

    email

    Unspecified

    user.email

  8. Select the following options and click Finish.

    Are you a customer or partner?

    Select I'm an Okta customer adding an internal app

    App type

    Select This is an internal app that we have created

To locate your IdP login URL and certificate:

  1. Go to Admin > Applications > Applications and select your SAML SSO app. to access the necessary information.

  2. Go to the Sign on tab and click View SAML setup instructions.

Steps on Axelor Connect
  1. Go to Organization > SSO.

  2. Enter the following information from Okta into the IdP login URL and Identity provider certificate fields.

    Field on Okta

    Field on Admin > System settings

    Identity provider single sign on URL

    IdP login URL

    X.509 certificate

    Identity provider certificate

  3. Enter the following in the Login IML resolve field:

    {"email":"{{get(user.attributes.email, 1)}}","name":"{{get(user.attributes.profileFirstName, 1)}}
    {{get(user.attributes.profileLastName, 1)}}","id":"{{user.name_id}}"}
  4. Select the following settings:

    Allow unencrypted assertions

    Yes

    Allow unsigned responses

    No

    Sign requests

    Yes

  5. Click Save.

Service Provider initiated SSO

  1. Go to Axelor Connect's login page.

  2. Click Sign in with SSO.

  3. Enter the namespace you chose for your organization.

  4. Log in using your Okta credentials and consent to Axelor Connect's access to your user data.

Troubleshooting

When you save the SSO configuration, you automatically receive an email with a link to bypass SSO login. Use this link to log in and adjust your configuration as needed.

Previous Next
Copyright © 2005-2024 Axelor. All Rights Reserved. White label documentation
  • Prerequisites
  • Supported features
  • Configuration steps
    • Steps on Okta
    • Steps on Axelor Connect
  • Service Provider initiated SSO
  • Troubleshooting

Prev  Up  Next
Single Sign-on  Home  Two-factor authentication