This article describes how it is possible to use OKTA as a SAML IDP (Identity Provider) and configure RH-SSO as a SP (Service Provider).
RedHat SSO Integration with OKTA : In this example, the NameID used is persistent. It means that user at IDP Provider (OKTA) shall also exist at SP provider (RH-SSO). Once the configuration done, it is possible to authenticate a RH-SSO user directly against OKTA IDP.
The configuration is done as fllows:
1) Create a new realm test_saml_okta (RH-SSO)
select add Identity provider
Notice the redirect URI created
2) OKTA IDP configuration
You first need to register at OKTA for an evaluation account
The way to configure OKTA as a SAML IDP is described at
Some important points to be noticed:
1. add the redirect URI created earliar as SAML settings for Single Sign ON URL on OCTA 2. add following attributes to be taken account in the assertion: email, firtsname, lastname 3. Once the registration of the SAML IDP provider is completed, you obtain a link such as https://dev-537125.oktapreview.com/app/exkc4t48rf7NqpkOP0h7/sso/saml/metadata 4. With the evaluation version, you can assign only one user to this provider, which is yourself. Goto the assign panel of your application, and click on "assign people". It will propose yourself being candidate for this federation application.
3) SAML Configuration of RH-SSO
You can can paste the URL of the OKTA medata.
It will fill RH-SSO with all teh SAML information w.r.t to OKTA
At this stage you can save the configuration.
4) Adding attribute provider
RH-SSO requires 3 attributes (mandatory):
firstname, lastname, and email.
Mappers are used to map the attribute received from the SAML assertion ont RH-SSO attribute.
value to provided
Name: email mapper_type:attribute importer attribute Name: email user attribute Name: email
5) Creating a new user in RH-SSO realm
You need to create a user within this realm (which is exactly the one created for Okta)
6) Testing (1st time)
1. Select 2. You will notice that a new button with saml_3_octa has appeared 3. Click on this button. It will redirect you to OKTA login page 4. You need to identify withe the user ceated at OKTA (i.e yourself) 5. Once Authenticated at OKTA, you are redirected to RH-SSO portal, asking you if you want to authenticate with this existing user. You should answer yes, and you are redirected to the RH-SSO dashoard. Note: this step is very important, because it means that now your account is linked with OKTA account. From a SAML standpoint, account linking occurs only the first time. You can easily verify this, by checking viewing teh user details linked account.
7) Testing (2nd time and more)
As a consequence, it means that as long as accounts are linked, RH-SSO authentication will no longer be called. When using saml authentication, you are first redirected to OKTA for authentication.
Upon successful authentication, you will get RH-SSO autehntication immediately.
- Understanding Oauth2-OpenID scope usage with Keycloak - 2 octobre 2019
- Using Impersonation with Keycloak - 13 septembre 2019
- Offline Sessions and Offline tokens within Keycloak - 28 août 2019