Identity Provider Integration IV: Okta
Create App Integration
SAML2 authentication with Okta Accounts is supported from Silverback Version 22.0.0.122.
- Open your sign-in URL (e.g. https://imagoverum.okta.com) and login
- Navigate to Admin
- Select Applications
- Press Create App Integration
- Select SAML 2.0
- Press Next
Create SAML Integration
- Enter an App Name, e.g. Matrix42 Silverback
- Upload an App icon (optional)
- Press Next
- Enter as Single sign on URL your Silverback URL in the following format: https://silverback.company.com/sts/authorize/login
- Ensure that Use this for Recipient URL and Destination URL is enabled
- Enter as Audience URI your Silverback URL in the following format: https://silverback.company.com
- Select as Name ID format EmailAddress
- In the Attribute Statements, add the following entry
- Name: http://schemas.xmlsoap.org/ws/2005/0...ty/claims/name
- Name format: Unspecified
- Value: user.login or user.email
- Press Next
- Enter your Okta Support Feedback
- Press Finish
Download Metadata
- Under SAML Signing Certificates, locate your active certificate
- Click Actions
- Click View IdP metadata
- A new browser tab will be opened
- Copy the browser URL to your clipboard, e.g. https://imagoverum.com.okta.com/app/.../saml/metadata
Grant Access
- Navigate back to your recent tab
- Applications > Applications > Matrix42 Silverback
- Select Assignments
- Press Assign and select Assign to People or Assign to Groups
- Select all the desired People or Groups
- Press Done
Import Metadata to Silverback
Import Metadata
- Open your Silverback Management Console
- Login as Administrator
- Navigate to Admin
- Navigate to Authentication Provider
- Click Import from URL
- Paste your recently captured metadata URL, e.g. https://imagoverum.com.okta.com/app/.../saml/metadata
- Click OK
- Click OK to save these changes
- Click OK to confirm
Configure Authentication Provider
- Enable Show on Login Page
- Disable classic sign-in (optional)
- Change the Service Provider and add your Silverback URL in the following format: https://silverback.company.com
- Enable Dynamic User Creation
- Silverback will create for each login a local user account for verification reasons
- Use your Identity Provider as access control mechanism
- Change the Title of your SAML2 Button, e.g Okta
- Change the Icon
- Change the Color
- Click Save
Review the Settings Overview for further explanation and appearance.
Try a Login as a Device User
- Open your Browser in Incognito Mode
- Open Self Service Portal
- Check the SAML2 button appearance
- Click the SAML2 button
- You will be redirected to your Okta Identity Provider
- Login with your credentials
- When everything went right, you should be logged it into Self Service Portal
- Take a device and perform an enrollment
- In case you have an active LDAP Connection in Silverback, please refer to Co-Existence with LDAP Connection
- Otherwise, please proceed with Identities
Co-Existence with LDAP Connection
In case you connected Silverback with a LDAP Server, you might receive after pressing the Start (1) button inside the Self-Service Portal, an error that contains a warning that this user already has a pending enrollment request or that you are not authorised to access this system (2). The logic is that if a LDAP connection is available, Silverback checks first your LDAP server if the user is present to query additional LDAP Attributes for the user and to not create dynamically a new local user. To ensure the matching between your Identity Provider and the user in your LDAP Server and to let your users create a new pending enrollment, the value selected for Attribute Statements must match with the comparer added in your LDAP User Filter (e.g. userPrincipalName={0}). The captured username from the Identity Provider login (your Attribute Statement) is indicated after Welcome (3) and must match in the Co-Existence with the userPrincipalName of the user in your LDAP server. In case a Group Membership is set in the LDAP User Filter (MemberOf=), the user must be present in the select Group Membership, too. Please keep also in mind, that the LDAP user must have a valid Device Email Field information present. With the LDAP attribute Username, you can ultimately define in this scenario which user name the device will receive in Silverback.
Identities
- Navigate back to your Silverback Management Console
- Navigate to Users
- You should see now a new Username with your Identity Provider E-Mail and Username information
- e.g. Username: tim.tober@imagoverum.com
- e.g. Email: tim.tober@imagoverum.com
SAML2 Admin Account
- Navigate to Admin
- Navigate to User Management
- Click New System User
- Enter a username
- Enter as Email the E-mail used for your Idenity Provider (e.g. tim.tober@imagoverum.com)
- Create any password you like
- Ensure to meet minimum requirements
Type any random password that matches the minimum password requirements as the authentication will be done through the Identity Provider.
- Select Role
- Select Language
- Click Save
Try a Login as Administrator
- Open your Browser in Incognito Mode
- Open Silverback Management Console
- Click the SAML2 Button
- You will be redirected to your Identity Provider
- Login with your Credentials
- When everything went right, you should be logged it into Silverback Management Console
Additional Notes
In case you enroll devices with the Device Enrollment Program, ensure to use as Authentication Username +OTP if your users has been created dynamically as a local device user (Identities) in Silverback. Due to the authentication with the Identity Provider, these users will be created without any password, so Silverback is not able to perform an authentication for the user at this stage of the device enrollment.