This article describes how it is possible to use OKTA as a SAML IDP (Identity Provider) and configure RH-SSO as a SP (Service Provider).
RedHat SSO Integration with OKTA : In this example, the NameID used is persistent. It means that user at IDP Provider (OKTA) shall also exist at SP provider (RH-SSO). Once the configuration done, it is possible to authenticate a RH-SSO user directly against OKTA IDP.
The configuration is done as fllows:
1) Create a new realm test_saml_okta (RH-SSO)
select add Identity provider
Notice the redirect URI created
2) OKTA IDP configuration
You first need to register at OKTA for an evaluation account
The way to configure OKTA as a SAML IDP is described at
Some important points to be noticed:
1. add the redirect URI created earliar as SAML settings for Single Sign ON URL on OCTA
2. add following attributes to be taken account in the assertion:
<strong>email, firtsname, lastname</strong>
3. Once the registration of the SAML IDP provider is completed, you obtain a link such as
4. With the evaluation version, you can assign only one user to this provider, which is yourself.
Goto the assign panel of your application, and click on "assign people". It will propose yourself being candidate for this federation application.
3) SAML Configuration of RH-SSO
You can can paste the URL of the OKTA medata.
It will fill RH-SSO with all teh SAML information w.r.t to OKTA
At this stage you can save the configuration.
4) Adding attribute provider
RH-SSO requires 3 attributes (mandatory):
firstname, lastname, and email.
Mappers are used to map the attribute received from the SAML assertion ont RH-SSO attribute.
value to provided
attribute Name: email
user attribute Name: email
5) Creating a new user in RH-SSO realm
You need to create a user within this realm (which is exactly the one created for Okta)
6) Testing (1st time)
1. Select <strong></strong>
2. You will notice that a new button with saml_3_octa has appeared
3. Click on this button.
It will redirect you to OKTA login page
4. You need to identify withe the user ceated at OKTA (i.e yourself)
5. Once Authenticated at OKTA, you are redirected to RH-SSO portal, asking you if you want to authenticate
with this existing user.
You should answer yes, and you are redirected to the RH-SSO dashoard.
this step is very important, because it means that now your account is linked with OKTA account.
From a SAML standpoint, account linking occurs only the first time.
You can easily verify this, by checking viewing teh user details linked account.
7) Testing (2nd time and more)
As a consequence, it means that as long as accounts are linked, RH-SSO authentication will no longer be called. When using saml authentication, you are first redirected to OKTA for authentication.
Upon successful authentication, you will get RH-SSO autehntication immediately.
Specialised in IAM (security, access control, identity management) and Open Source integration, settled in 2004 by IAM industry veteran, JANUA offers high value-added products and services to businesses and governements with a concern for Identity Management and Open Source components.
JANUA provides better security, build relationships, and enable new cloud, mobile, and IoT offerings from any device or connected thing.
Les derniers articles par Olivier Rivat (tout voir)
- Architectural principles with Keycloak-Redhat SSO - 10 juillet 2018
- Using Keycloak/RH-SSO in a microservice SAAS architecture - 20 juin 2018
- Howto Docker with Keycloak – examples - 16 mai 2018