Skip to main content

OKTA SSO Configuration Guide

Overview

This guide outlines the process for configuring SP-Initiated Single Sign-On (SSO) with Okta for your APIsec SaaS application using SAML authentication. This setup enables users to initiate authentication directly from the APIsec login page, redirecting them to Okta for authentication before granting access.

To enforce role-based access control (RBAC), we will configure two groups in Okta to manage user permissions within APIsec.

Prerequisites

  • Administrative access to the Okta Admin Console.
  • APIsec login with an ADMIN user role.

Implementation Steps

1. Group Provisioning in Okta

To enforce RBAC in APIsec, create user groups in Okta:

  1. Log in to the Okta Admin Console.
  2. Navigate to Directory → Groups.
  3. Click Add Group and create:
    • Group Name: APISEC_USER
    • Description: Users with basic access to APIsec.
  4. Create another group:
    • Group Name: APISEC_ADMIN
    • Description: Users with admin privileges in APIsec.
  5. Assign users to the appropriate groups.

alt text

2. Application Registration in Okta

  1. Navigate to Applications → Applications in Okta.
  2. Click Create App Integration → Select SAML 2.0.
  3. Application Name: APIsecAccess.
  4. Click Next and proceed to configure SAML settings.

alt text

3. Obtain Single Sign-On URL & Audience URI from APIsec

  1. Log in to APIsec as an ADMIN user.
  2. Click Setup Single Sign-On on the Primary Navigation Panel. alt text
  3. Select OKTA as the primary IDP and click Next.
  4. Copy the Single Sign-On URL and the Audience URI. alt text
info

👉 Now, return to the Okta application created in Step 2 and proceed with the SSO configuration.

4. Single Sign-On Configuration in Okta

  1. In the Configure SAML tab, enter the following details:

    • Single sign-on URL: Enter the SSO URL retrieved from APIsec (Step 3).
    • Audience URI: Enter the Audience URI retrieved from APIsec (Step 3).
    • Name ID format: Select EmailAddress from the dropdown.
    • Application Username: Select Email from the dropdown.
    • Update application username on: Leave as Create and update.

  2. Configure Attribute Statements:

NameName FormatValue
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressUnspecifieduser.email
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/displayNameUnspecifieduser.firstName
  1. Configure Group Attribute Statements:
NameName FormatFilterValue
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/apisecrolesUnspecifiedStarts withAPIsec
  1. Click Next.
  2. Click Finish.

5. Metadata Configuration in Okta

  1. In Okta, navigate to Sign On in the APIsec application settings.
  2. Locate the Metadata URL under Metadata Details.
  3. Copy the Metadata URL. alt text
  4. Log in to APIsec as an ADMIN user.
  5. Click Setup Single Sign-On on the Primary Navigation Panel.
  6. Select OKTA as the primary IDP and click Next.
  7. Enter the Metadata URL and click Complete.

6. Testing and Validation

  1. Log out of APIsec.
  2. After completing the SSO configuration, you will find the Sign in with SSO link. alt text
  3. Click Sign in with SSO, and the user should be redirected to the Okta Login Page.
  4. Attempt to log in via Okta SSO.
  5. Ensure that users in the APISEC_USER and APISEC_ADMIN groups can access APIsec using the appropriate roles.
  6. If login fails, check Okta logs for errors and verify that the correct attributes are being sent.

7. Important Considerations

  1. Users not assigned to APISEC_USER or APISEC_ADMIN cannot access APIsec.
  2. A user should not be assigned to both groups simultaneously.
  3. If RBAC-based access control is not functioning as expected, verify that:
    • The Group Claim is correctly mapped.
    • The user is assigned to only one of the designated groups.

By following these steps, you can successfully integrate Okta SSO with APIsec, ensuring secure and streamlined authentication for users.