Okta interconnection

Preamble

Interconnecting the LockSelf application with an identity federation is done through the SAMLv2 protocol. It is therefore possible to interconnect the application with your Okta enterprise account.

Step 1: Create the connector on the IdP

Log in to your Okta admin interface in the Applications section:

  • Step 1: click "Create App Integration" and then "SAML 2.0".

Screenshot_2022-03-22_at_12.44.25_PM.png

Screenshot_2022-03-22_at_12.45.17_PM.png

  • Step 2: Set a name for the connector, usually "LockSelf", and add the logo if desired. Then click "Next".

Screenshot_2022-03-22_at_12.47.58_PM.png

  • Step 3: Fill in block A named "SAML Settings"

Screenshot_2022-03-22_at_12.52.16_PM.png

  • Single sign on URL: corresponds to the reply URL that will be called by the connector.
  • Audience URI (SP Entity ID): corresponds to the URL of the application's metadata.
  • Name ID format: choose EmailAddress
  • Application username: choose the desired value (equivalent to the user's UPN)

(where FQDN replaces the domain name of your LockSelf installation).

Once this initial information has been entered, click "Show Advanced Settings" and fill in the information as shown below. For the "Encryption Certificate" input, choose the certificate corresponding to your domain name (without the certification chain).

Screenshot_2022-03-22_at_12.59.11_PM.png

Once the advanced options are configured, you will now configure the attributes that will be sent to the LockSelf application. At this step, you must return the claims exactly as shown above. Be careful to respect the case.

Screenshot_2022-03-22_at_1.14.17_PM.png

Step 2: Upload the IdP metadata to LockSelf

This first step consists of retrieving the metadata file from your IdP. You can retrieve the file or the URL in the "Sign On" tab of the connector:

Screenshot_2022-03-22_at_1.26.57_PM.png

Retrieve this URL and enter it in the LockSelf application. To do this, see this documentation: Configuring the SSO interconnection (private cloud only).

Step 3: Allow users to access the application

This step consists of choosing which users or groups of users can access the connector, and therefore the application.

To do this, click "Assignments" in the left-hand menu and then "Assign".

Screenshot_2022-03-22_at_1.47.55_PM.png

At this level, you can add the users and groups that will be allowed to use the connector.

Step 4: Check the connection

Once these steps are completed, you will be able to test the connector:

  • Step 1: To test properly, open a private browsing window and go to the URL of your infrastructure (https://FQDN/?sso). If you use the browser extension, click the gear wheel, then "Clear cache".
  • Step 2: On the SSO tab, enter your email in the displayed field or click the "Log in" button directly.
  • Step 3: At this step, you will be redirected to your organization's Okta SSO portal where you can authenticate.
  • Step 4: Once authenticated, you will be redirected to LockSelf, which will ask you to create the PIN code associated with your account.

See this documentation if needed: SSO login (Single Sign-On).

Step 5: Update the connector

An update of the token signing/encryption certificates must sometimes be performed on the Okta connector.

In this case, you will need to update the new IdP metadata file, in the Settings tab of the Administrator account, on the SSO module. To do this, see this documentation: Configuring the SSO interconnection.

Updated