Prolaborate and OKTA SAML Integration
Prerequisites
Your Prolaborate site should have a valid SSL Certificate.
You can create a self-signed certificate yourself if you don’t have an SSL certificate. Please contact the Prolaborate team to learn more.
Service Provider Configuration
To configure the Service Provider, click on Menu > SAML Settings
From the top of the page that opens, click on Enable SSO.
Name | Name will be prefilled |
Assertion Consumer URL | Assertion Consumer URL will be Prefilled |
Certificate File | Choose the .pfx file of your SSL certificate |
Certificate Password | Enter the Password of the .pfx file |
Configuring Prolaborate in Okta
The following sections will elaborate on the steps involved in setting up Prolaborate in Okta.
Create a new SAML Application
To create a SAML application, follow the below steps:
Log in to your Okta account as a user with administrative privileges. Click on the Admin button.
Click on the Applications tab.
Click on Create App Integration button
Select the Sign-in method as SAML 2.0 and click on the Next button.
General Settings
Fill the fields in General settings as per the instructions below and click on Next.
App name | Enter your Application Name (say Prolaborate). |
App logo (Optional) | Review the tooltips for details about the type of image you can use for your logo. |
App visibility | You can leave these options unchecked. |
Configure SAML
Fill the details in Section A – SAML Settings as per the instructions below.
Single sign on URL | Fields from Prolaborate Service Provider configuration as stated above (In section Service provider Configuration). |
Audience URI (SP Entity ID) | Fields from Prolaborate Service Provider configuration as stated above (In section Service provider Configuration). |
Use this for Recipient URL and Destination URL | Select this box as the recipient and destination URL to be the same. |
Click on Show Advanced Settings.
- Check the Enable Single Logout to allow the application to initiate single logout.
Single Logout URL | Get Name fields from Prolaborate Service Provider configuration as stated above (In section Service provider Configuration). For example, https://localhost/saml/sls |
SP Issuer | Enter the URL from the Service Provider Name field from Prolaborate |
Signature Certificate | Browse SSL certificate (.cer file) of Prolaborate instance and click on Upload Certificate |
Attributes names | Values |
---|---|
First name | user.firstName |
Last Name | user.lastName |
user.email | |
Group | Usergroup |
You need not change any other settings as Section B is not needed for Prolaborate. You can just click on Next.
Feedback tab
- In the Feedback tab, select I’m an Okta customer adding an internal app and This is an internal app that we have created, and Click Finish
Assign Users
In this section, we will assign the Okta users to the Prolaborate application. Click on the Assignments tab.
Click on Assign on the users to whom you want to give access to Prolaborate on Assign Prolaborate to People page.
The users whom we have selected will now show up in the Assignment tab
Assign Groups
In this section, we will assign the Okta Groups to the Prolaborate application.
Click on the Assignments tab. Click on the Assign drop-down menu and Select ‘Assign Groups.’
A popup, along with a list of groups, will be shown. Select the appropriate groups from that list that you want the group to assign to the application.
Click on Assign and confirm the action by clicking Save, which will assign the group to the application.
The Okta group will now be shown in the application. Now, the members of this group will be able to access the Prolaborate application.
Sign On Tab
In this section, we will configure the Identity provider to your Prolaborate. Click on the Sign On tab
- Click on View SAML Setup Instructions.
Identity Provider Configuration details will be shown in a new tab
Identity Provider Single Sign-On URL | Should be used as Sign In URL field in Prolaborate Identity Provider configuration |
Identity Provider Single Logout URL | Used as Sign Out URL field in Prolaborate Identity Provider configuration. |
Identity Provider Issuer | Used as Name field in Prolaborate Identity Provider configuration respectively. |
Identity Provider Configuration
Go back to Prolaborate, and click on Menu → SAML Settings to configure the Identity Provider.
The configuration in Prolaborate can be done in two methods:
Manual Configuration
By default, users can enter the required details to configure manually.
Fill the Identity Provider Configuration as per the instructions below:
Name | Description |
---|---|
Name | Fill using Identity Provider Issuer URL availed from Okta configuration (Refer to the section Sign On Tab). |
Sign In URL | Fill using Identity Provider Single Sign-On URL availed from Okta configuration (Refer to the section Sign On Tab). |
Sign Out URL | Fill using Identity Provider Single Logout URL availed from Okta configuration (Refer to the section Sign On Tab). |
Certificate | Choose the .cer Certificate file from Okta Configuration (Refer to the section Sign On Tab). |
Upload Metadata file
To make IDP configuration more feasible and reduce human error and time, Prolaborate has introduced an option to upload the metadata file directly for IDP configuration from version 5.4.
It will fill the Name, Sign In URL, Sign Out URL and the certificate automatically.
Steps to Configure IDP Using Metadata File:
- Go to the Okta Sign On page in your Okta admin portal and download the metadata file from this page.
- Navigate to Prolaborate and choose the Metadata file option.
- A pop-up will appear. Choose the metadata file you previously downloaded from Okta and click on Upload.
- It will fill the Name, Sign In URL, Sign Out URL and the certificate automatically.
Attribute Mappings
Change the Attribute mapping into the Custom Mode and fill the following values in the respective fields.
Attributes Mappings | Values |
---|---|
First Name | Firstname |
Last Name | Lastname |
Email Note: Based on the claims, which is configured in SAML Application. Please choose the Email type. |
|
Group | Usergroup |
Configure Access Permissions
Apply single access permission for all SSO users
To apply a single access permission for all SSO users logging in to Prolaborate, select an Access Control Profile.
When a user logs in, the access permission will be applied based on the selected access control profile.
For detailed steps on how to create an Access Control Profile. Click here
SAML Group-Based Restrictions
SAML Group-Based Restrictions allow administrators to control user access by linking specific SAML groups to defined access control profiles. This ensures that users are granted permissions based on their group membership.
- Enable SAML Group-Based Restrictions using the toggle.
- Choose the required access control profile
- Enter the OKTA group name from the OKTA admin portal
- Click on the add button and repeat the steps if you wish you configure different access permissions for different SAML groups.
Log in with Okta Credentials
Once the configuration is done, users will start to see a new button on the login page called Login with SSO.
When they click on Login with SSO,
They will be redirected to an URL as per configuration. They can then give their OKTA credentials to login to Prolaborate.
You will be redirected to Prolaborate successfully if the configuration is done right as said in the document.
Note the Repositories you see will be based on Default Access Control Profile
If you are experiencing challenges signing in using SSO, go to SAML Assertion Validation debug the SAML configurations.
Logging out from Prolaborate
When a user initiates a logout, the user will be logged out from all applications in the current Identity provider login session.