Single Sign On with Okta using SAML
Single Sign On is mechanism where a single action of login provides access to multiple services including GpsGate server. As one of the main benefits it reduces the number of passwords you need to remember and it also decrease the time spent on login to various services.
We will install SAML plugin to configure Single Sign On on GpsGate server.
The plugin name refers to Security Assertion Markup Language (SAML) standard, it defines a framework for exchanging security information between online business partners.
1. Log in to SiteAdmin and navigate to Plugins tab
2. In the repository update.gpsgate.com, Install Saml plugin
The setup comprises of the following steps:
1. Site Admin setup
2. Choose an identity provider
Site Admin Setup
1. Click on the Saml menu in Applications tab in SiteAdmin.
2) Click on Add button and select an application for single sign-on from the drop down list.
Do not click the Create button yet because will get back to this step later.
At this point you need to chose an Identity Provider that provides an endpoint for SSO and supports SAML 2.0 protocol. In this example we will show you how to use Okta and ADFS as identity provider.
1) Go to Okta‘s homepage, register an account and log in to the admin user interface.
2) Click on Add Application button on Applications tab.
On the next page click Create New App on the left side.
3) Select SAML 2.0 as sign on method and click Create.
4) In general settings, fill the App name that corresponds with the GpsGate application name and click Next
5) Copy-paste the Single Sing on URL and Audience URI from step 2) and click Next
6) Select the options as shown below and click Finish.
7) Click Assign people on People tab
In the next view you can find the person that you want to assign to the app.
When selected a person, fill the GpsGate username you want to associate with the Okta user.
8) Right click and copy the link of the Identity Provider metadata url on the Sign on tab (from the section highlighted with yellow color).
Now you can continue step 2:
Paste the Metadata url and click Create button. GpsGate will download the metadata in the background and pair your GpsGate application with the Okta App.
9) Congratulations, you successfully configured the SSO.
When you visit the Single Sign On Url associated with your application, you will be automatically logged in to GpsGate when you are already logged in to Okta.
Note: it is possible to sign in to Okta using Active Directory to make the login more convenient.
1) Go to ADFS server and open AD FS Management.
2) Click on Add Relying Party Trust.
4) Set Display name.
5) Enable SAML 2.0 protocol and insert the Single Sign On URL from step 2 in GpsGate Setup, but change “http” to “https”, because ADFS supports only HTTPS.
It should be something like https://yourserver.com/saml/login.aspx?adfsid=ID
6) Insert the URL that looks like https://yourserver.com/saml/login.aspx
7) Click on the Add button
8) Select ‘Permit everyone’.
9) Now in the new opened window ‘Edit Claim Issuance Policy for ...’ add a new rule.
10) Select ‘Send LDAP Attributes as Claims’.
10) Set ‘Claim rule name’.
Select ‘Active Directory’ for ‘Attribute Store’.
Select ‘SAM-Account-Name’ for ‘LDAP Attribute’ and ‘Name ID’ for ‘Outgoing Claim Type’.
10) Now we can continue to step 2 from GpsGate Setup.
Set ‘SAML Metadata URL’ for your ADFS server, it should be something like ‘https://youradfsserver.com/federationmetadata/2007-06/federationmetadata.xml’.
In case if your federation metadata file does not provide a valid ‘HTTP-Redirect URL’, you can override it by insert a custom URL in ‘Override HTTP-Redirect URL’ field.
Click Create button.
GpsGate will download the metadata in the background and pair your GpsGate application with the ADFS server.
10) Congratulations, you successfully configured the SSO.
When you visit the Single Sign On Url associated with your application, you will be automatically logged in to GpsGate when you are already logged in to ADFS.