SSO Configurations for Okta

This document provides a step-by-step guide for setting up SSO Configuration to configure Okta, allowing users to sign in to Okta services using their OneIdP credentials and securely access these services.

Pre-requisites

1. The Custom Domain for which you are authorising, should be verified through OneIdP. 

2. Users belonging to custom domain should be added to Scalefusion Dashboard and migrated to OneIdP.

3. IT Admins should have access to Okta admin console.

4. Users should be added to Okta portal

Create SSO Configuration for Okta

1. Sign in to Scalefusion Dashboard and navigate to OneIdP > SSO Configuration 

2. Click on New SSO Configuration button on top right.
   

   

3. This opens the SSO Configuration wizard with following tabs on the left panel:

   1. Application Basics

   2. SSO Scope Management

   3. Permissions

   4. SSO Settings

   5. Conditional Access

   6. User Facing Messages
      Navigate to each tab and enter required details. You can navigate to next tab only after you have entered complete details in the current section. All are explained in detail below.
      
      
      

Application Basics 

Configure basic application details by entering the following:

• Select Application Type: Select Okta as application type from the drop-down. 

• Enter Application Name: Enter a name for your App which will be an identifier for your configuration. The name must be at-least 5 characters long. The maximum allowed length is 128 characters.

• Select Hosting Type: This will be pre-selected as Cloud 

• Select Domains: All the custom domains you have configured and verified using OneIdP, will be listed here. Select the domain(s) which you want to be SAML SSO enabled.

• Enter Login URL: Provide URL that you use to sign in to that service.
  
  Once you have entered all details click Next
  
  

SSO Scope Management

With SSO scope management you can configure the procedure for managing the users who will be accessing this application. It basically allows how SAML settings for the users are going to be managed. Following are the settings:

User assignment 

SSO Configuration would allow only assigned users to access the app. Choose one from the following options:

1. Allow all users imported to Scalefusion to access the application: All users (belonging to the domain) imported to Scalefusion and migrated to OneIdP will be allowed to access the application.

2. Allow only assigned users to access the application: Only the user(s) whom you have assigned the SSO configuration, will be allowed to access the application. With this option, after SSO configuration is created, you need to manually select and assign the users.

   1. Revoke access for all users once when the configuration is saved: If this is checked, the access is revoked from the users who are currently assigned with the configuration. As a result, it will invalidate all user sessions and logout users from their current running session.
      
      
      

Enforcement Rules 

From here, you can configure and enforce users that at what point of time SSO Configuration should invalidate the current session and logout users. Following options can be selected:

1. Immediately on User Assignment and post grace period if applied: Once SSO configuration is assigned to user

2. Immediately on User Un-Assignment: When user is unassigned the SSO configuration

3. Immediately on Deleting this configuration: When SSO configuration is deleted from Scalefusion Dashboard

   Users will not get logged out in case of Okta

   
   

   

Permissions

Here, you do not need to grant any additional permissions. Click Next to go to the next step.

SSO Settings

This section allows admins to configure the Service Provider (Okta) settings and obtain the SSO URLs which will be added on the Okta portal.

OneIdP SSO Settings

For this, you need to perform configurations on Okta admin console. There are two modes of defining IdP usage on Okta admin console, through which you can login to Okta using OneIdP:

1. Factor Only: Okta evaluates requests coming from this IdP as a possession factor.

2. SSO Only: Okta evaluates requests coming from the IdP as a password (knowledge factor).

After configuring the settings on Okta console, navigate back to Scalefusion Dashboard and click Next to go to next step.

Conditional Access

From this section you can define the additional conditions on the basis of which users will be allowed/disallowed from accessing the application on device. This is divided into following sections:

1. Conditional Access Settings

2. Access Exceptions

Conditional Access Settings

Device Policy

1. For Android, iOS/iPad OS, Windows & macOS, Linux, Chrome OS: Choose one from the following two conditions:

   1. Only if the device is managed by Scalefusion: The application will be accessible only on devices managed (enrolled) by Scalefusion.
      

   2. If the device is managed by Scalefusion or an OTP using Scalefusion Authenticator app from a managed device: The application is accessible if any of the following conditions is met:

      1. Device is managed by Scalefusion: If device is managed you will not be asked to enter OTP for authentication, or

      2. If device is unmanaged, OTP is required for authentication. OTP can be taken from Authenticator app installed on a Scalefusion managed device.

   3. Allow users to access by setting up MFA using third party authenticator app or OTP sent on email: This option is activated only when Multi-factor Authentication is enabled in Directory Settings.
      Note: The left side panel is for configuring Device Policy on Android & iOS/iPad OS and right side is for Windows & macOS and Linux, ChromeOS below them. Hence, you can configure separate device policies based on platform.

   4. Use OneIdP as second factor only: This option allows you to use OneIdP as a second factor of authentication. When enabled, users will first authenticate using their primary method (e.g., password) and then be redirected to OneIdP for additional verification. OneIdP will then check the user's compliance status and grant access if the user meets the specified conditions.
      
      

      

      
      

Browser Policy

From here, you can select one or more browsers and specify minimum versions on which you want to allow the access to the application. Following are the options:

• All Browsers

• Google Chrome with minimum version 

• Microsoft Edge with minimum version

• Safari with minimum version

• Mozilla Firefox with minimum version

Important Points on Browser Policy:

1. By default all browsers are allowed.

2. Only major versions are validated. For eg. if you mention browser version: 23.5.8.10 then the respective browser with minimum major version(23) will be allowed. After configuring Device Policy and Browser Policy, click Next
   

Access Exceptions

From this section you can configure the exceptions where the users are allowed to access the applications even if the conditions are not met. In general, these exceptions will be useful or addresses scenarios where :

1. IT Admins have setup Android Enterprise using Google Workspace Or

2. IT Admins have setup Apple User Enrollment with ABM/ASM federated to Google Workspace

Following are the exceptions that can be configured:

1. Enrollment Exceptions

   1. Allow users to access the application till they enroll their first device: Allows users to access the application till they enroll at-least one device. This option is helpful in conditions where the enrollment steps requires them to authenticate with the service provider. With this, you can also configure the following:

      1. Maximum sessions allowed per user: Configure no. of sessions that should be exempted. It can range from 1 to 3. Ideally 1 session per user is recommended.

      2. Configure the OS where the exceptions are applied: Select the platform(s) on which this exemption would be allowed to users. 

2. User Exceptions
   Here you can add the users who are always exempted from the conditions and will never be asked to manage their device. Enter comma separated email addresses of users or click on Add Users on the right and in the new window, select the users who should be exempted.
   Note: These users still need to sign in with their OneDirectory credentials if they fall under the SSO Scope, however the conditions will not be enforced.
   
   

User Facing Messages

User Facing Messages helps admins configure messages that end users may be shown when they are unable to access the application if any of the compliance conditions are not met. You can configure messages under following:

• Configure Instructions for a Non-Compliant Device: This message is shown when the device is not compliant and needs to be enrolled to Scalefusion

• Configure Instructions for a Non-Compliant Browser: Shown when the browser is not compliant as per configurations 

• Configure a Message to be displayed when Access is Denied: Any other cases where access to application is denied.

There are some pre-configured messages displayed on Dashboard which you can edit as per requirement.

After configuring user facing messages, click on Save

The SSO configuration is created and listed on SSO Configuration page as a separate card with the name you have defined. You can create multiple SSO configurations in the same manner.

The next document explains how the configurations can be managed and other actions you can perform through SSO configurations.

Factor Only

Follow these steps on Okta admin console:

1. Navigate to Security > Identity Providers

2. Click on Add Identity Provider
   

   

3. Under Select Identity Provider, select SAML 2.0 and click Next
   

   

   
   

4. Configure the following settings:

   1. Name: Enter name

   2. IDP usage: Select Factor Only

   3. SAML Protocol settings: Provide all SSO URLs and certificate

      1. Issuer URI: Copy the OneIdP Entity ID/Issuer URL from Scalefusion Dashboard (under SSO Settings) and paste here.

      2. IdP Single Sign On URL: Copy the OneIdP SSO URL from Scalefusion Dashboard (SSO Settings) and paste it here.

      3. IdP Signature Certificate: Download Verification certificate from Scalefusion Dashboard (SSO Settings) and upload it here.

      4. In the Request Binding, select HTTP Redirect

   4. After entering all details, click Finish
      

      

      
      

5. Now, navigate to Security > Authenticators. Click on Add authenticator

   
   

6. Under IdP authenticator card, click on Add
   

   

   
   

7. Here, select Identity Provider which you have created (in Step #4 above) and click Save
   

   

   
   

8. Navigate to Security > Authentication Policies and click on Okta Dashboard
   

   

   
   

9. Click on Actions drop-down and select Edit

10. Scroll down and configure following:

    1. User must authenticate with: Select Password / IDP + another factor

    2. Authentication methods: Select Allow specific authentication methods and select IdP Authenticator in the drop-down below it.

11. Click Save
    

    

    
    

12. Navigate to Security > Authenticators. Go to Enrollment tab and click on Edit under Actions. Here, for the IdP (you have created), select Required from the drop-down and click on Update Policy
    

    

User Login to Okta with Factor Only

1. On Okta login page, enter your org URL

2. Enter your Okta user credentials (username & password)
   

   

   
   

3. You will be asked to verify with the configuration created on Okta console. Click on Verify
   

   

4. Now you will be navigated to OneIdP page to check compliance. After entering credentials, click on Sign In

   When Use OneIdP as second factor only is enabled in Conditional Access policies, you won't be redirected to the OneIdP login page. Instead, OneIdP will check your compliance status and log you into Okta directly, without requiring you to enter your OneIdP credentials again.

   
   

   

5. You should be logged in to Okta

SSO Only

Follow these steps on Okta admin console:

1. Navigate to Security > Identity Providers

2. Click on Add Identity Provider
   

   

   
   

3. Under Select Identity Provider, select SAML 2.0 and click Next
   

   

   
   

4. Configure the following settings:

   1. Name: Enter name

   2. IDP usage: Select SSO Only

   3. Account matching with IdP Username: Provide these settings:

      1. IdP Username: Select idpuser.subjectNameId

      2. Account link policy: Select Automatic

   4. SAML Protocol settings: Provide all SSO URLs and certificate:

      1. Issuer URI: Copy the OneIdP Entity ID/Issuer URL from Scalefusion Dashboard (under SSO Settings) and paste here.

      2. IdP Single Sign On URL: Copy the OneIdP SSO URL from Scalefusion Dashboard (SSO Settings) and paste it here.

      3. IdP Signature Certificate: Download Verification certificate from Scalefusion Dashboard (SSO Settings) and upload it here.

   5. In the Request Binding, select HTTP Redirect

   6. After entering all details, click Finish
      

      

      
      

5. Navigate to Identity Providers > Routing rules. Click on Add routing rule
   

   

   
   

6. Select identity provider which you have created in Idp(s) (Step #4 above) and click on Create Rule
   

   

   
   

7. Navigate to Security > Authentication Policies and click on Okta Dashboard

8. Click on Actions drop-down and select Edit

9. Scroll down and under User must authenticate with, select Any two factors
   

   

User Login to Okta with SSO Only

1. On Okta login page, enter your org URL

2. Okta will redirect you to OneIdP page to authenticate

3. After entering credentials, click on Sign In
   

   
   

4. You should be logged in to Okta

Once SSO for Okta is configured, it will apply to all user accounts, including administrator accounts. This means that administrators will also need to authenticate via OneIdP to access the Okta console.

Synchronizing Users Between Scalefusion and Okta

To ensure integration between Scalefusion and Okta, you'll need to synchronize user accounts. With Okta’s User Provisioning tools, follow these steps to add any new users added on Scalefusion, to the Okta portal:

Follow these steps on Okta admin console:

1. Navigate to Security > Identity Providers

2. Click on Add Identity Provider

3. Under Select Identity Provider, select SAML 2.0 and click Next

4. Configure the following settings:

   1. Name: Enter name

   2. IDP usage: Select SSO Only

   3. In If no match found, make sure Create New User (JIT) is selected
      

      

5. Click Finish

6. Now go to Scalefusion Dashboard. In the SSO Configuration created for Okta, navigate to SSO Settings > Custom Attributes and enter the following custom attributes:

   

7. Save the SSO Configuration.

8. Now, when you try to login to Okta with the user credentials, the same user will automatically get added on Okta portal.