Setting up a SAML Application in OKTA
Your Prolaborate site should have a valid SSL Certificate.
If you don’t have a SSL Certificate, you can create a self-signed certificate yourself. Please get in touch with Prolaborate team to know more about it.
Service Provider Configuration
To configure the Service Provider, click on Menu → SAML Settings .
From the top right of the page that opens, click on Enable SSO.
Under Service Provider Configuration,
- Name and Assertion Consumer URL will be prefilled. These URLs will be used as ‘Single sign on URL’ and ‘Audience URI (SP Entity ID)’ in Okta configuration respectively.
- Choose the .pfx file of your SSL certificate
- Enter the Password of the .pfx file
Configuring Prolaborate in Okta
The following sections will elaborate the steps involved in setting up Prolaborate in Okta.
Create a new SAML Application
To create a SAML application, follow the below steps:
Log in to your Okta account as an user with administrative privileges. Click on Admin button.
Click on Applications tab.
Click on Add Application button
Click on Create New App
Select the Platform as Web and Sign on method as SAML 2.0 and click on Create button.
In step 1, fill General settings as per instructions below and Click on Next.
- App name – Enter your Application Name (say Prolaborate).
- App logo (Optional) – Review the tool tips for details about the type of image you can use for your logo.
App visibility - You can leave these options as unchecked.
In step 2, fill Section A – SAML Settings as per instructions below.
- Fill ‘Single sign on URL’ and ‘Audience URI (SP Entity ID)’ fields from Prolaborate Service Provider configuration as stated above (In section Service provider Configuration).
- Use this for Recipient URL and Destination URL – Select this box as recipient and destination URL to be same.
Click on Show Advanced Settings.
- Check the Enable Single Logout to allow the application to initiate single logout.
Single Logout URL: Get Name from Service provider Configuration of Prolaborate and append it with /SAML/SLOService.aspx. to get the Logout URL.
For example, https://localhost/SAML/SLOService.aspx
- SP Issuer: Enter the URL from Service Provider Name field from Prolaborate
- Signature Certificate: Browse SSL certificate (.cer file) of Prolaborate instance and click on Upload Certificate
Attribute Statements should be configured as below:
- You need not change any other settings
Section B is not needed for Prolaborate. You can just click on Next.
In Step 3, select I’m an Okta customer adding an internal app and This is an internal app that we have created and Click Finish
In this section, we will assign the Okta users to Prolaborate application. Click on Assignments tab.
Click Assign button to select Assign to People.
Click on Assign on the users to whom you want to give access to Prolaborate in Assign Prolaborate to People page.
Username will be shown and Click on Save and Go Back. You can repeat #2 and #3 to add as multiple users.
The users whom we have selected will now show up in Assignment tab.
Sign On Tab
In this section, we will configure the Identity provider to your Prolaborate. Click on Sign On tab
Click on View Setup Instructions.
Identity Provider Configuration details will be shown in a new tab.
- Identity Provider Single Sign-On URL should be used as Sign In URL field in Prolaborate Identity Provider configuration
- Identity Provider Single Logout URL used as Sign Out URL field in Prolaborate Identity Provider configuration.
- Identity Provider Issuer used as Name field in Prolaborate Identity Provider configuration respectively.
- Click on Download Certificate to download the .cer file and it is used as Certificate field in Prolaborate Identity Provider configuration respectively.
Identity Provider Configuration
Go back to Prolaborate, click on Menu → SAML Settings .
Fill the Identity Provider Configuration as per the instructions below:
- Select your Identity Provider as Others .
- Fill Name using Identity Provider Issuer URL availed from from Okta configuration (Refer to the section Sign On Tab).
- Fill Sign In URL using Identity Provider Single Sign-On URL availed from from Okta configuration (Refer to the section Sign On Tab).
- Fill Sign Out URL using Identity Provider Single Logout URL availed from from Okta configuration (Refer to the section Sign On Tab).
- Choose the .cer Certificate file from Okta Configuration (Refer to the section Sign On Tab).
Default Access Control Profile
Click on Manage Profiles to create a new profile.
Click on Create Profile.
Give a Name to the Profile and configure permissions.
This is the permission that will be provided to all the users logging into Prolaborate using their SSO credentials.
You can choose any one of the following options:
- Give access to all repositories – Any user logging with their SSO credentials will be given access to all repositories
- Specify access – Any user logging with their SSO credentials will be added to the user groups you have specified after selecting the repositories
Now, go back to SAML Settings page.
Select the newly created profile and click Save.
Log in with Okta Credentials
Once the configuration is done, your users will start to see a new button on the login page called Login with SSO .
When they click on Login with SSO,
They will be redirected to an URL as per configuration. They can then give their OKTA credentials to login to Prolaborate.
You will be redirected to Prolaborate successfully if the configuration is done right as said in the document.
Note the Repositories you see will be based on Default Access Control Profile
Please check the configuration if you are not logged in to Prolaborate.
Logging out from Prolaborate
When a user initiates a logout, the user will be logged out from all applications in the current Identity provider login session.