Preamble
Connecting the LockSelf application to an identity federation is done via the SAMLv2 protocol. It is therefore possible to connect the application to your company Okta account.
Step 1: Create the connector on the IDP
Log in to your Okta admin interface in the Applications section:
- Step 1: Click on "Create App Integration" and then on "SAML 2.0".
- Step 2: Define a name for the connector, generally "LockSelf", and add the logo if desired. Then click "Next".
- Step 3: Fill in block A named "SAML Settings".
- Single sign on URL: corresponds to the reply URL that will be called by the connector.
- Audience URI (SP Entity ID): corresponds to the application metadata URL.
- Name ID format: select EmailAddress
- Application username: select the desired value (equivalent to the user's UPN)
(where FQDN replaces the domain name of your LockSelf installation).
Once this initial information is entered, click "Show Advanced Settings" and fill in the information as shown below. For the "Encryption Certificate" input, select the certificate for your domain name (without the certification chain).
Once the advanced options are configured, you will now configure the attributes that will be sent to the LockSelf application. At this step, you must return the claims as shown above. Be careful to respect the case.
Step 2: Upload the IDP metadata to LockSelf
This first step consists of retrieving the metadata file from your IDP. You can retrieve the file or URL in the "Sign On" tab of the connector:
Retrieve this URL and enter it in the LockSelf application. For this, refer to this documentation: SSO Interconnection Configuration (private cloud only).
Step 3: Allow users to access the application
This step consists of choosing which users or user groups can access the connector, and therefore the application.
To do this, click on "Assignments" in the left menu, then on "Assign".
You can add the users and groups that will be authorized to use the connector.
Step 4: Verify the connection
Once these steps are completed, you will be able to test the connector:
-
Step 1: To test correctly, open a private browsing window and go to your infrastructure URL (https://FQDN/?sso). If you are using the browser extension, click on the gear icon, then on "Clear cache".
-
Step 2: On the SSO tab, enter your email in the displayed field or click directly on the "Sign in" button.
- If this does not work, on the login page, click on the gear icons in the top right corner, and verify that in the API URL field there is /api/ at the end of the dedicated domain name. For example: https://votreentreprise.lockself-cloud.com/api/, https://lockself.votreentreprise.com/api/, etc...
- If this does not work, on the login page, click on the gear icons in the top right corner, and verify that in the API URL field there is /api/ at the end of the dedicated domain name. For example: https://votreentreprise.lockself-cloud.com/api/, https://lockself.votreentreprise.com/api/, etc...
-
Step 3: You will be redirected to your organization's Okta SSO portal where you can authenticate.
- Step 4: Once authenticated, you will be redirected to LockSelf, which will ask you to create the PIN code associated with your account.
Refer to this documentation if needed: SSO (Single Sign-On) connection.
Step 5: Update the connector
A signing certificate / token encryption update sometimes needs to be performed on the Okta connector.
In this case, you will need to update the new IDP metadata file in the Settings tab of the Administrator account, in the SSO module. For this, refer to this documentation: SSO Interconnection Configuration.
Updated