Okta SSO

Introduction

Single Sign-On (SSO) enables organizations to use the SAML 2.0 authentication provider for authenticating login into SAFE. Admin can onboard and manage users right from their Okta SSO platforms, eliminating the need to maintain a separate user authentication mechanism for SAFE.

SAFE does not support IdP-initiated SSO flow. To navigate directly to SAFE and log in from within your Okta enterprise application, you must request that Safe provide a URL that can be bookmarked in Okta.

Setting up Okta

1. Click on Applications from the left navigation bar in the Okta developer console.
   
2. On the Add Application page, click the Create New App option.
3. For the Sign-on method, choose SAML 2.0.
4. Choose to Create. SAML app will be created.
5. Now on the Create SAML Integration page, under General Settings, enter a name for your app.
6. The logo field is optional
7.  Click Next.
8. Go to the GENERAL settings.
9. Enter the Audience URI (SP Entity ID) and Reply URL (Single Sign-On URL) using the details for your regional instance.
10. Under ATTRIBUTE STATEMENTS, add a statement with the following information:
    1. For Name, enter the SAML attribute name -http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress.
    2. For Value, enter user.email.
    3. Optionally- It is not mandatory to configure the following attributes since they do not affect SAFE integration with Okta. However, if they are configured, they will be synced with the respective fields for the onboarded users in SAFE, and SAFE Admin does not have to separately update these fields in SAFE whenever there’s an update in Okta.
       1. For First Name:
          1. For Name, enter the SAML attribute name -http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
          2. For Value, enter user.firstName.
       2. For Last Name:
          1. For Name, enter the SAML attribute name -http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
          2. For Value, enter user.lastName.
       3. For Mobile Phone:
          1. For Name, enter the SAML attribute name -http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
          2. For Value, enter user.primaryPhone or user.mobilePhone. (This has to be in international format without any symbol other than +, if this is added and the format is not as per the international format, the login will break for that user. Also, if in the profile of the user, one has set primaryphone but in an attribute value, one has set mobilePhone, it fails to fetch the number.)
       4. The overall attribute settings should be set as per the below screenshot:
          
11. Choose Next and Finish.
    

Assign a user to your Okta application

1. First, onboard a user on the Okta developer console
2. Navigate to Dashboard > Choose Directory > People > Onboard a user.
3. Note: Onboard the user with the domain that should be there in the SAFE application. For example: USER@DOMAIN_GIVEN_TO_SAFE.
4. Now assign that user to the Okta application you created.
   
   
5. On the Assignments tab for your Okta app, for Assign, choose Assign to People.
6. Choose Assign next to the user that you want to assign.
   Note: If this is a new account, the only option available is to choose yourself (the admin) as the user.
7. Choose Done and Go Back. Your user is assigned.
8. Contact the SAFE Support team to do the required steps in AWS Cognito.

Adding User(s) to SAFE

1. To log in to SAFE with an SSO-configured email, the customer must log in with the existing SAFE Admin user and add the users into SAFE. This can be done by manually creating the user in SAFE.
2. Once the users are onboarded, they can start logging in to SAFE using their Email ID with the domain configured in SSO. On entering the correct Email ID, the Okta authentication page will open up, where they can enter their Okta credentials.