You are here:

Okta SAML

The following guide is to help the deployment of an Okta SAML configuration as the authentication provider for Pyramid. Okta is not that different to generic SAML, but there are some key aspects that are unique.

Note: This feature is available with Enterprise licensing only.

Important: If Same Site client security is set to Strict when using SAML authentication, this may cause a loop redirect between Pyramid and the SAML provider, as cookies are prevented from working across different web domains. This shouldn't be an issue if your SAML provider and Pyramid are within the same web domain.

Okta SAML Setup

Create a SAML Application

Select SAML 2.0 and click on “Next”

General Settings

First give your application a name e.g. Pyramid SAML.

Then Click on “Next” to configure SAML settingsL

Single sign-on URL: Your Pyramid URL with /login/callback on the end
Audience URL (SP Entity ID): Pyramid
Name ID format: x509SubjectName
Application username: Email (you can choose any option that is best for you)

Then click on “Next” and “Finish” to create your application.

Assignments

Once your Okta application has been created, click on it and then click on “Assignments.” Here you can add users that will be allowed to login to your Pyramid instance.

Setting the provider up in Pyramid

To pull the metadata details for use in moving Pyramid to SAML click on “Sign on” and copy and browse to the meta data URL.

Then open authentication manager in the Pyramid admin console: Pyramid Admin>Security>Authentication, click the Change Provider button.

Take all the setup information from the steps “App details” and “Service Provider details”

Consumer URL: Your Pyramid URL with /login/callback on the end
SAML Issuer: This is the Audience URI (SP Entity ID) setup in the “configure SAML” section. In the example we set it as “Pyramid”
IDP URL: This is the SingleSignOnService (HTTP-POST) URL taken from the meta data URL
Logout URL: https://<your-okta-domain>/login/signout
Certificate: This is the ds:X509Certificate taken from the meta data URL
External Id: Any user that you gave access to the application. It must match the value you mapped to the subject.

User Provisioning Setup

The Okta SAML provider can be used for auto provisioning in Pyramid. Click here for more details.

Save your changes

Click Apply to start the provider change over process. At this stage, the existing users attached to the previous authentication system need to be converted over.

Admins will be prompted to either:

Delete all existing users and delete their content
Convert old users to the new provider (through the user conversion wizard), and keep their content

Since this exercise cannot be rolled back once the changes are committed, admins need to step through this exercise carefully.

For a detailed explanation and walk-through, click here to see User Conversion

Feedback

Couldn't find what I was looking for

Help was confusing, unclear or incomplete

Instructions didn't work