How to Set Up Single Sign-On For Okta
Creating the App in Okta
-
Log in to your Okta account.
-
In the sidebar click to expand the Applications menu > click Application.
-
Click Create App Integration.
-
In the popup box, select SAML 2.0 > Next.
Note: Okta includes a preconfigured Bluescape enterprise application in their Applications list. It would help if you did not use it as it is not configured correctly for the current release.
-
On the Create SAML Integration screen, enter the app name and click Next.
-
The SAML settings screen opens. Complete the following substeps:
a. Enter the following in the Single sign-on URL field:
https://identity-api.<domain>/api/authenticate/<IdentityProvider.uid>
Note: The final part of the URL–acs_id – is only a placeholder. It updates later with the actual ID of the SAML provider after the provider is added in Bluescape.
b. Enter the following in the Audience URI (SP Entity ID) field.
https://portal.apps.us.bluescape.com/saml/metadata/customer_saml_provider_name
Note: The final part of the URL– customer_saml_provider_name – is only a placeholder. It updates later with the actual ID of the SAML provider after the provider is added in Bluescape.c. Leave the Default RelayState field blank.
d. Set the Name ID format field to Email Address.
e. Set the Application username field to Email.
f. Leave the Update application username on field unchanged.
-
Scroll down to the Attribute Statements section and enter the following four attributes to provision users on Bluescape:
Name Name Format Value User.FirstName Unspecified user.firstName User.LastName Unspecified user.lastName User.Email Unspecified user.email user_guid Unspecified user.id Note on user_guid: If you choose to use a value other than user.id, the value must be unique for each user and unchangeable, even if the user’s email changes.
-
Click Next.
-
(Optional) In the final section of the screen, provide feedback to Okta.
-
To complete this stage of the setup, click Finish.
Grabbing the Metadata URL to Provide Bluescape Support -
On the Sign-On screen that opens, scroll down to the SAML Signing Certificates.
-
Click on Actions for the active certificate to open the actions dropdown.
-
Select View ldP metadata.
-
A new browser tab opens. Copy the URL and provide it to Bluescape Support.
The link should be similar to the following example:
https://dev-175540.oktapreview.com/app/exke45jvh82t316wU0h7/sso/saml/metadata
Updating the App Login URL’s in Okta
-
Bluescape Support creates a new SAML provider and sends you its ID.
-
At the top of the section, click the General tab.
-
Scroll down to the SAML Settings field and click Edit.
-
On the General Settings screen that opens, click Next.
-
In the Single sign-on URL and Audience URI (SP Entity ID), replace the placeholder value, which is currently ID, with the ID you got from Bluescape Support in Step 15.
Single sign-on URL = ASC URL
Audience URI (SP Entity ID) = Entity ID URL