Preamble
Interconnecting the LockSelf application with an identity federation is done through the SAMLv2 protocol. It is therefore possible to interconnect the application with your Okta enterprise account.
Step 1: Create the connector on the IdP
Log in to your Okta admin interface in the Applications section:
- Step 1: click "Create App Integration" and then "SAML 2.0".
- Step 2: Set a name for the connector, usually "LockSelf", and add the logo if desired. Then click "Next".
- Step 3: Fill in block A named "SAML Settings"
- Single sign on URL: corresponds to the reply URL that will be called by the connector.
- Audience URI (SP Entity ID): corresponds to the URL of the application's metadata.
- Name ID format: choose EmailAddress
- Application username: choose the desired value (equivalent to the user's UPN)
(where FQDN replaces the domain name of your LockSelf installation).
Once this initial information has been entered, click "Show Advanced Settings" and fill in the information as shown below. For the "Encryption Certificate" input, choose the certificate corresponding to your domain name (without the certification chain).
Once the advanced options are configured, you will now configure the attributes that will be sent to the LockSelf application. At this step, you must return the claims exactly as shown above. Be careful to respect the case.
Step 2: Upload the IdP metadata to LockSelf
This first step consists of retrieving the metadata file from your IdP. You can retrieve the file or the URL in the "Sign On" tab of the connector:
Retrieve this URL and enter it in the LockSelf application. To do this, see this documentation: Configuring the SSO interconnection (private cloud only).
Step 3: Allow users to access the application
This step consists of choosing which users or groups of users can access the connector, and therefore the application.
To do this, click "Assignments" in the left-hand menu and then "Assign".
At this level, you can add the users and groups that will be allowed to use the connector.
Step 4: Check the connection
Once these steps are completed, you will be able to test the connector:
-
Step 1: To test properly, open a private browsing window and go to the URL of your infrastructure (https://FQDN/?sso). If you use the browser extension, click the gear wheel, then "Clear cache".
-
Step 2: On the SSO tab, enter your email in the displayed field or click the "Log in" button directly.
- If this does not work, on the login page, click the gear wheels at the top right and check that the API URL field correctly ends with /api/ after the dedicated domain name. For example: https://votreentreprise.lockself-cloud.com/api/, https://lockself.votreentreprise.com/api/, etc.
- If this does not work, on the login page, click the gear wheels at the top right and check that the API URL field correctly ends with /api/ after the dedicated domain name. For example: https://votreentreprise.lockself-cloud.com/api/, https://lockself.votreentreprise.com/api/, etc.
-
Step 3: At this step, you will be redirected to your organization's Okta SSO portal where you can authenticate.
- Step 4: Once authenticated, you will be redirected to LockSelf, which will ask you to create the PIN code associated with your account.
See this documentation if needed: SSO login (Single Sign-On).
Step 5: Update the connector
An update of the token signing/encryption certificates must sometimes be performed on the Okta connector.
In this case, you will need to update the new IdP metadata file, in the Settings tab of the Administrator account, on the SSO module. To do this, see this documentation: Configuring the SSO interconnection.
Updated