Step-by-step instructions to set up a SAML authentication for your Administrators with Cloudi-Fi and Okta.
Use case
The following sections will provide step-by-step instructions to set-up a SAML authentication for your Cloudi-Fi administrators with Cloudi-Fi and Okta.
Prerequisites
SAML for Administrators URLs
- Navigate to the Cloudi-Fi Admin user interface (UI)
- Go to "Configuration > Auth modes > SAML for Administrators"
- Collect the necessary information
Linkback URL
https://admin.cloudi-fi.net/auth/module.php/saml/sp/saml2-acs.php/sp-saml4admin/************
***** is your Cloudi-fi public key (Go to your Cloudi-fi Admin interface > Settings > Company Account)
Cloudi-Fi Entity ID
https://admin.cloudi-fi.net/
If "SAML for Administrators" is not available, please open a ticket to Cloudi-Fi Support (How to contact your Cloudi-Fi support ?)
1. Create your Okta SAML application
- Go to your Okta portal and switch to "Classic UI" mode.
- Go to the Application section, and add a new application.
- Click on "Create a new Application Integration"
Then, select SAML 2.0
In the General Settings page, define your "App name" (for instance: Cloudi-Fi Guest APAC SAML) and click on Next
Configure SAML page
Linkback URL
https://admin.cloudi-fi.net/auth/module.php/saml/sp/saml2-acs.php/sp-saml4admin/<company_key>
To find your <company_key> , go to the Cloudi-fi Admin interface, navigate to Settings, then Company Account
Cloudi-Fi Entity ID
https://admin.cloudi-fi.net/
Name ID format
EmailAddress
Application username
Email
Update application username on
Create and update
Attribute Statements
Note: “Admin” , “Lobby” , “ReadOnly” are the admin_profiles created in Admin UI > Administrators > Profiles
"Name" | "Value" |
user.email | |
group |
isMemberOfGroupName(“Admin”) ? “Admin” : |
In Feedback page, click on "Finish"
Once the Cloudi-Fi application is created on Okta, click "View SAML Setup Instructions" to retrieve technical information to be configured on the Cloudi-Fi portal.
Here are needed information:
- Identity Provider Single Sign-On URL
- Identity Provider Issuer
- X.509 Certificate
2. Cloudi-Fi configuration
To start step 2, make ensure you have all of these information
Attributes_name (in Okta) |
Attributes_name (in Cloudi-Fi) |
Details |
Single sign-on URL | Linkback URL |
https://admin.cloudi-fi.net/auth/module.php/saml/sp/saml2-acs.php/sp-saml4admin/<company_key> |
SP Entity ID | Cloudi-Fi Entity ID |
https://admin.cloudi-fi.net/ |
Identity Provider Issuer |
IdP EntityID |
http://www.okta.com/********* |
Identity Provider Signle Sign-On URL | IdP Endpoint |
https://******/app/****/*****/sso/saml |
X.509 Certificate | IDP Signing Certificate (X509 (Base64) | |
Attribute Statements / Name | Email_address Claims |
|
Attribute Statements / group | SAML Profile attribute |
group |
- Navigate to the Cloudi-Fi Admin user interface (UI)
- Access "Configuration > Auth modes > SAML for Administrators"
- Enter the required values into the respective fields
Fill out the form as described below with details previously retrieved on Okta :
- IdP EntityId: Identity Provider Issuer
- Binding Method: POST
- IdP Endpoint: Identity Provider Single Sign-On URL
- Logout Binding Method: POST
- Logout Endpoint:
- IdP Signing Certificate: X.509 Certificate without "Begin Certificate" and "End certificate" markers
- Email attribute name: mail
- SAML Profile attribute: group
Finally, click on Save
3. Enable Administrator auto-provisioning (Optional)
Enabling automatic administrator provisioning allows administrators to be assigned a Cloudi-Fi profile based on the Okta group to which they belong.
Option 1: Create Okta groups with names identical to the Cloudi-Fi administrator profiles. The default Cloudi-Fi profiles will be used.
Option 2: Use existing Okta groups. This will create new profiles on the Cloudi-Fi side with limited permissions. You will need to modify the permissions of Cloudi-Fi administrator profiles manually.
Troubleshooting
Okta error message
An administrator access to the application and he is redirected to Okta authentication Page. He fills out his (email_address, password) and Sign-in. Then he is redirected to an Okta Error Page.
Please replay the process and perform a HTTP capture (Perform a Web Request capture in the web browser) and open a ticket to Cloudi-Fi support with the capture attached (see How to contact your support?)