Okta SAML

The following guide is to help the deployment of an Okta SAML configuration as the authentication provider for Pyramid. Okta is not that different to generic SAML, but there are some key aspects that are unique.

Note: This feature is only available with Enterprise licensing.

Important: If Same Site client security is set to Strict when using SAML authentication, this may cause a loop redirect between Pyramid and the SAML provider, as cookies are prevented from working across different web domains. This shouldn't be an issue if your SAML provider and Pyramid are within the same web domain.

Okta SAML Setup

Create a SAML Application

Login to the Okta Administrator page and select Applications > Applications, then click Create App Integration.

Select SAML 2.0 and click Next.

General Settings

First give your application a name (for example, Pyramid SAML).

Then click Next to configure SAML settings:

  • Single sign-on URL: Your Pyramid URL with /login/callback on the end
  • Audience URL (SP Entity ID): Pyramid
  • Name ID format: x509SubjectName
  • Application username: Email (you can choose any option that is best for you).

Then click Next and Finish to create your application.

Assignments

Once your Okta application has been created, select it and then click Assignments. Here you can add users that will be allowed to login to your Pyramid instance.

Setting the provider up in Pyramid

To pull the metadata details for use in moving Pyramid to SAML click Sign on and copy and browse to the meta data URL.

Then open authentication manager in the Pyramid admin console:

  1. In the Admin Console, click Security > Authentication.

    2. The Authentication Provider page opens with the details of your current Authentication Provider displayed.

  2. From the top-right of the page, click Change Provider.

    3. The Change Provider page opens. You will copy the details of your new authentication provider into this page, starting by selecting your Provider.

Take all the setup information from the steps “App details” and “Service Provider details”

  • Consumer URL: Your Pyramid URL with /login/callback on the end
  • SAML Issuer: This is the Audience URI (SP Entity ID) setup in the “configure SAML” section. In the example we set it as “Pyramid”
  • IDP URL: This is the SingleSignOnService (HTTP-POST) URL taken from the meta data URL
  • Logout URL: https://<your-okta-domain>/login/signout
  • Certificate: This is the ds:X509Certificate taken from the meta data URL
  • External Id: Any user that you gave access to the application. It must match the value you mapped to the subject.

User Provisioning Setup

The Okta SAML provider can be used for auto provisioning in Pyramid. If you want to use auto provisioning, you will need to set up the app and then specify its settings on the Provider Provisioning tab. For more information, see Okta User Provisioning.

Save your changes

Click Apply to start the provider change-over process. At this stage, the existing users (attached to the previous authentication system) need to be converted over.

Admins will be prompted to either:

  • Delete all existing users and their local content. When users are deleted by this process, all their private data (the discoveries, publications, and so on that are stored in their My Content Folder) is "soft deleted." Soft deleted files are moved into the Deleted users content folder and can be restored by an admin if needed.
  • Convert old users to the new provider (through the user conversion wizard), and keep their content

Since this exercise cannot be rolled back once the changes are committed, admins need to step through this exercise carefully.

  • Click here for a detailed explanation and walkthrough of User Conversion