Follow

Set up SAML Single Sign-On with Okta

Notes of Interest

  • For additional background information regarding Detect's support of SAML refer to the following article from when SAML support was released (Version 6.2)
  • Roles from Cognito Detect to be assigned to Okta groups are not uploaded to Okta to form a pick list as in the Azure AD setup where JSON roles are added to Azure AD's manifest
    • Groups that are assigned to the Cognito app that is configured in Okta will require a role to be manually input
    • These roles still need to be the specific Standardized Name for each role collected from Detect's Manage > Roles area
  • Please ensure the users are only mapped to one Vectra Cognito Detect Role in the IdP
    • If a user is mapped to more than 1 role, the user may not be assigned the preferred role

Summary of Steps for Experienced Admins

  • Add a Web Platform app with SAML 2.0 as sign on method
  • Get SAML information from Detect to use to configure the Okta app in another browser tab
    • Manage > External Authentication > Create in SAML Profiles section
  • Use the following mappings/data to complete the SAML settings in Okta
    • Okta "Single Sign on URL" = Detect "SP ACS URL"
    • Okta "Audience URI (SP Entity ID)" = Detect "SP Entity Provider"
    • Add "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" with "Unspecified" Name Format and a Value of "user.email" as an attribute
  • Use the Okta Directory > Profile editor to add a a required attribute for the Cognito Detect Role
    • Use the default "string" type
    • Fill in the Display name with something like "Cognito Detect Role"
    • Fill in the Variable name with something like "cognito_detect_role"
    • Tick the Attribute required checkbox to require this attribute
  • Edit the Okta app SAML settings to add another attribute after the user.email attribute
    • For the Name use: https://schema.vectra.ai/role
    • For the Name format, leave it as Unspecified
    • For the value use "appuser.cognito_detect_role" (using whatever your previously defined variable name was after the "."
  • Download the Identity Provider metadata from Okta to complete the Detect SAML profile
  • Assign Okta groups to the Detect SAML app that you created
    • You will need to add in the Standarized Name for the Role in Cognito Detect to each group as you associate them to the app
  • Test your new login using your normal Cognito Detect login hostname or IP
    • Local login is still available at: https://<ip or hostname>/accounts/login/?local=True

Okta SAML Setup (Step by Step)

  • In the Okta Admin Console, navigate to Applications > Applications

mceclip0.png

  • Click "Add Application"

mceclip1.png

  • Click "Create New App" to start the Application Integration Wizard

mceclip2.png

  • Select "Web" as the Platform for your integration
  • Select "SAML 2.0" in the Sign on method section
  • Click "Create"

mceclip3.png

  • On the General Settings tab, enter a name for your integration
    • In this example we used "Cognito Detect SAML-Test"
    • Everything else can be left blank on this screen
    • Click Next to enter the "Configure SAML" screen for the Okta SAML Integration

mceclip4.png

  • Next we'll need to create the Cognito Detect SAML Authentication Profile
  • Open a new browser tab and log in to Detect as you normally do and navigate to Manage > External Authentication
  • Click on “Create” in the SAML Profiles section

mceclip29.png

  • A dialog will open and the SP Entity Identifier and SP and ACS URL will be displayed there for entry into the corresponding fields in the Okta SAML Settings screen

mceclip6.png

  • Enter the information as follows in Okta
    • Okta "Single Sign on URL" = Detect "SP ACS URL"
    • Okta "Audience URI (SP Entity ID)" = Detect "SP Entity Provider"
  • You do not need to change anything in the "Show Advanced Settings" area
  • Add "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" with "Unspecified" Name Format and a Value of "user.email" as an attribute near the middle of this dialog
  • Click Next at the bottom of the screen

mceclip1.png

  • Answer any feedback questions presented on the app creation flow
  • Click "Finish" to save the app

mceclip31.png

  • You'll now be on the "Sign On" page in your newly created App

mceclip9.png

  • Next we will configure how Okta can specify Cognito Detect Roles
  • Navigate to Directory > Profile Editor

mceclip10.png

  • Click on the Profile Action button on the right for the "Cognito Detect SAML-Test User" or whatever you called your app

mceclip11.png

  • Click on + Add Attribute in the Profile Editor

mceclip12.png

  • Use the default "string" type
  • Fill in the Display name with something like "Cognito Detect Role"
  • Fill in the Variable name with something like "cognito_detect_role"
  • Tick the Attribute required checkbox to require this attribute
  • Click on Save at the bottom of the dialog

mceclip13.png

  • Next we will add this newly created attribute to our SAML app configuration
  • Click Applications > Applications on the navigation at the top of the screen

mceclip0.png

  • Click on your app

mceclip14.png

  • Click on the general tab

mceclip15.png

  • Click Edit on the SAML Settings

mceclip16.png

  • Click Next until you get to the Configure SAML page again
  • Add another attribute after the user.email one
  • For the Name format, leave it as Unspecified
  • For the value use "appuser.cognito_detect_role" (using whatever your role variable name we previously defined was after the "."
  • Click Next

mceclip18.png

  • Answer any feedback questions presented on the app creation flow
  • Click "Finish" to save the app
  • From your apps "Sign on" page download the "Identity Provider metadata" and save it as a .xml file

mceclip19.png

  • Go back to your Cognito Detect tab in your browser and upload the XML file

mceclip20.png

  • Give your SAML profile a name and click "Create"

mceclip21.png

  • Now we are ready to assign Okta Groups to the Cognito Detect SAML app
  • In your Okta browser tab, navigate to Directory > Groups

mceclip22.png

  • Select or create a group in Okta's Directory that you want to have access to Cognito Detect
  • In this example we'll click on an existing Security Analyst group

mceclip23.png

  • Click on the "Manage Apps" button

mceclip24.png

  • Click Assign on your app

mceclip25.png

  • Next add the Role from Cognito Detect that you want to assign to this group
    • Note that you have to use the standardized name from the Role definition in Detect
    • A sample from the Manage > Roles > Security Analyst role in Cognito Detect is shown below followed by a screenshot showing the role being put into Okta
  • Click "Save and Go Back"

mceclip26.png

mceclip28.png

  • Repeat this process for any other groups you want to have access with their corresponding roles
  • Now you are ready to test your SAML SSO integration
  • Below you will find a video demonstrating the Okta SAML SSO login flow

 

 

Was this article helpful?
0 out of 0 found this helpful

Download PDF

0 Comments

Article is closed for comments.