Step-by-step instructions to set up a SAML authentication for your Sponsors with Cloudi-Fi and Okta.
Use case
The following sections will provide step-by-step instructions to SAML authentication for your Sponsor with Cloudi-Fi and Okta.
Prerequisites
SAML URLs
- Navigate to the Cloudi-Fi Admin user interface (UI)
- Go to Configuration > Auth modes > Sponsor
- Collect the necessary information
Linkback URL
https://portal.cloudi-fi.net/auth/module.php/saml/sp/saml2-acs.php/sp-sponsor/************
- ***** is your Cloudi-fi public key (Go to your Cloudi-fi Admin interface > Settings > Company Account)
Cloudi-Fi Entity ID
https://portal.cloudi-fi.net/
1. Create your Okta SAML application
Go to your Okta portal and switch to "Classic UI" mode.
Go to the Application section, and add a new application.
Click on Create a new Application Integration.
Then, select SAML 2.0
In the General Settings page, define your App name (for instance : Cloudi-Fi Guest SAML) and click on Next
In Configure SAML page
- Linkback URL :
-
https://portal.cloudi-fi.net/auth/module.php/saml/sp/saml2-acs.php/sp-sponsor/<company_key>
- To find your <company_key> , go to the Cloudi-fi Admin interface > Settings > Company Account.
-
- Cloudi-Fi Entity ID :
-
https://portal.cloudi-fi.net/
-
- Name ID format : EmailAddress
- Application username : Email
- Update application username on : Create and update
- Attribute Statement
- Name : mail
- Value : user.email
In Feedback page, click on Finish
Once the Cloudi-Fi application is created on Okta, click View SAML Setup Instructions to retrieve technical information to be configured on the Cloudi-Fi portal.
Here are needed information :
-
Identity Provider Single Sign-On URL
-
Identity Provider Issuer
-
X.509 Certificate
2. Cloudi-Fi configuration
To start step 2, make ensure you have all of these information
Attributes_name (in Okta) |
Attributes_name (in Cloudi-Fi) |
Details |
Single sign-on URL | Linkback URL |
https://portal.cloudi-fi.net/auth/module.php/saml/sp/saml2-acs.php/sp-sponsor/<company_key> |
SP Entity ID | Cloudi-Fi Entity ID |
https://portal.cloudi-fi.net/ |
Identity Provider Issuer |
IdP EntityID |
http://www.okta.com/********* |
Identity Provider Signle Sign-On URL | IdP Endpoint |
https://******/app/****/*****/sso/saml |
X.509 Certificate | IDP Signing Certificate (X509 (Base64) | |
Attribute Statements / Name | Email_address Claims |
|
Navigate to the Cloudi-Fi Admin user interface (UI)
Access Configuration > Auth modes > Sponsor
Enter the required values into the respective fields
Fill out the form as described below with details previously retrieved on Okta:
- IdP EntityId : Identity Provider Issuer
- Binding Method : POST
- IdP Endpoint : Identity Provider Single Sign-On URL
- Logout Binding Method : POST
- IdP Signing Certificate : X.509 Certificate without "Begin Certificate" and "End certificate" markers
- Email attribute name : mail
Finally, click on Save
Troubleshooting
Okta error message
A Sponsor_administrator access to the application and he is redirected to Okta authentication Page. He fills out his (email_address, password) and Sign-in. Then he is redirected to an Okta Error Page.
Please replay the process and perform a HTTP capture (Perform a Web Request capture in the web browser) and open a ticket to Cloudi-Fi support with the capture attached (see How to contact your support?)
What's Next ?
Congratulations on enabling SAML authentication with Okta for your Sponsor_administrators.