Single Sign On with Okta using SAML

you through how to use Single Sign On in GpsGate. Single Sign On is mechanism where a single action of login provides access to multiple services including GpsGate server. As one of the main benefits it reduces the number of passwords you need to remember and it also decrease the time spent on login to various services.


Installation

We will install SAML plugin to configure Single Sign On on GpsGate server.
The plugin name refers to Security Assertion Markup Language (SAML) standard, it defines a framework for exchanging security information between online business partners.

1. Log in to SiteAdmin and navigate to Plugins tab
2. In the repository update.gpsgate.com, Install Saml plugin

GpsGate Setup

1. Click on the Saml menu in Applications tab in SiteAdmin. 
sso menu

2) Click on Add button and select an application for single sign-on from the drop down list.
sso new
Do not click the Create button yet because will get back to this step later.

At this point you need to chose an Identity Provider that provides an endpoint for SSO and supports SAML 2.0 protocol. In this example we will show you how to use Okta and ADFS as identity provider.

Okta Setup

1) Go to Okta‘s homepage, register an account and log in to the admin user interface.

2) Click on Add Application button on Applications tab.
Okta add applications
On the next page click Create New App on the left side.

3) Select SAML 2.0 as sign on method and click Create.
Okta select sign on method

4) In general settings, fill the App name that corresponds with the GpsGate application name and click Next
Okta app general settings

5) Copy-paste the Single Sing on URL and Audience URI from step 2) and click Next
Okta app saml configuration

6) Select the options as shown below and click Finish.
Okta app finish

7) Click Assign people on People tab
Okta assign people
In the next view you can find the person that you want to assign to the app.
Okta select person
When selected a person, fill the GpsGate username you want to associate with the Okta user.
Okta gpsgate username

8) Right click and copy the link of the Identity Provider metadata url on the Sign on tab (from the section highlighted with yellow color). 
Okta app saml configuration
Now you can continue step 2:
Paste the Metadata url and click Create button. GpsGate will download the metadata in the background and pair your GpsGate application with the Okta App.  
sso paste metadata url

9) Congratulations, you successfully configured the SSO.
sso identity provider successfully created
When you visit the Single Sign On Url associated with your application, you will be automatically logged in to GpsGate when you are already logged in to Okta.  
Note: it is possible to sign in to Okta using Active Directory to make the login more convenient.

ADFS Setup

1) Go to ADFS server and open AD FS Management.

2) Click on Add Relying Party Trust.
add relying party trust 1
Click Next.

3) 
add relying party trust 2

4) Set Display name.
add relying party trust 3

5) Enable SAML 2.0 protocol and insert the Single Sign On URL from step 2 in GpsGate Setup, but change “http” to “https”, because ADFS supports only HTTPS.
It should be something like https://yourserver.com/saml/login.aspx?appid=ID
add relying party trust 4

6) Click Remove button.
add relying party trust 5

7) Delete from existing URL everything after ‘?’ and click Add.
Relying party trust identifier will be replaced from ‘https://yourserver.com/saml/login.aspx?appid=ID’ to ‘https://yourserver.com/saml/login.aspx’.
add relying party trust 6

8) Select ‘Permit everyone’.
add relying party trust 7

9) Now in the new opened window ‘Edit Claim Issuance Policy for ...’ add a new rule.
add relying party trust 8

10) Select ‘Send LDAP Attributes as Claims’.
add relying party trust 9

10) Set ‘Claim rule name’. 
Select ‘Active Directory’ for ‘Attribute Store’.
Select ‘SAM-Account-Name’ for ‘LDAP Attribute’ and ‘Name ID’ for ‘Outgoing Claim Type’.
add relying party trust 10

10) Now we can continue to step 2 from GpsGate Setup.
Set ‘SAML Metadata URL’ for your ADFS server, it should be something like ‘https://youradfsserver.com/federationmetadata/2007-06/federationmetadata.xml’.
In case if your federation metadata file does not provide a valid ‘HTTP-Redirect URL’, you can override it by insert a custom URL in ‘Override HTTP-Redirect URL’ field.
Click Create button. 
GpsGate will download the metadata in the background and pair your GpsGate application with the ADFS server.

10) Congratulations, you successfully configured the SSO.
add relying party trust 12

When you visit the Single Sign On Url associated with your application, you will be automatically logged in to GpsGate when you are already logged in to ADFS.