Skip to main content

Search

How can we help ?

SAML For Administrators with Okta

Alexandre de THOMASSON
  • Updated

Prerequisites :

  • Have an Okta account with application creation, right

  • Cloudi-Fi administrator account

  • SAML module activated in your Cloudi-Fi settings

1) Get your Cloudi-Fi Company Key

A trust must be established between Cloudi-Fi and Okta to allow authentication.
To set up this trust, you'll need to provide Okla with your Cloudi-Fi Company Key.
In the Cloudi-Fi admin portal, go to Settings and note your Company Key.

Screenshot 2023-07-20 at 2.06.08 PM.png

2) Okta service configuration

  • Connect to your Okta portal and switch to "Admin" mode.

  • Go to the Application section, create a new one.

  • Click on "Create a new Application Integration."

  • Select SAML 2.0

On the General Settings page:

  • App name: CloudiFiForAdministrators

  • And click on Next

In Configure SAML page :

  • Single sign on URL: add the Cloudi-Fi SAML URL and replace it with your Cloudi-Fi Company Key

https://admin.cloudi-fi.net/auth/module.php/saml/sp/saml2-acs.php/sp-saml4admin/

  • Complete the other fields as follows:

Once the Cloudi-Fi application is created on Okta, click on the button "View Setup Instructions" to retrieve technical information to be configured on the Cloudi-Fi portal.

Here are needed information:

  • Identity Provider Single Sign-On URL

  • Identity Provider Issuer

  • X.509 Certificate

3) Cloudi-Fi configuration

In the Cloudi-Fi admin portal, go to Settings Authentication module settings and select SAML for Administrators.

 

Fill out the form as described below with details previously retrieved on Okta :

  • IdP EntityId = Identity Provider Issuer (Marked 2 in the previous screenshot)

  • Binding Method = POST

  • IdP Endpoint = Identity Provider Single Sign-On URL (Marked 1 in the previous screenshot)

  • Logout Binding Method = POST

  • IdP Signing Certificate = X.509 Certificate (Marked 3 in the previous screenshot) without "Begin Certificate" and "End certificate" markers

  • Email attribute name = mail

Finally, click on Save

 

4) Enable Administrator auto-provisioning (Optional)

Enabling automatic administrator provisioning allows administrators to be assigned a Cloudi-Fi profile based on the Okta group to which they belong.

 

4.1 Option 1: Create Okta groups with names identical to the Cloudi-Fi administrator profiles. The default Cloudi-Fi profiles will be used.

 

4.2 Option 2: Use existing Okta groups. This will create new profiles on the Cloudi-Fi side with limited permissions. You will need to modify the permissions of Cloudi-Fi administrator profiles manually.

 

In both cases, we create a custom attribute for that app (named group), and we map isMemberOfGroupName("Admin") ? "Admin" : "ReadOnly" to that value in the profile editor.

On Cloudi-Fi Side, Configure or finalise the SAML configuration

 

Go to Settings Auth modes SAML for Administrators. Enable Administrator auto-provisioning and type the SAML Profile Attribute.

 

You can also assign a Default profile if you haven't received a profile in the SAML response.