SAML SSO works by transferring the user’s identity from one place (the identity provider) to another (the service provider). This transfer is done through an exchange of digitally signed XML documents. Sectona PAM uses Okta SAML Authentication to allow access for their users. This section covers:
Before you begin
The user should admin access to the Okta developer portal.
The user must also have admin access to Sectona PAM.
Configuring Okta SAML Authentication
To configure SAML authentication for Okta with Sectona PAM instance, follow the below-mentioned steps:
Configuring Okta Developer Account
Log in to Okta developer account as admin.
Go to Applications → Applications → Create New App
Select “SAML 2.0” and then click Create.
Enter a suitable name for your app and click on enter.
Configure the following fields in the app and click on Next:
SSO URL: ‘URL where your PAM is installed.’
Entity ID: Provide a random unique String combination as your Entity ID. It will help t to create a unique identity for your SAML App configuration and avoid duplicate entries.
Name ID: Select Email Address from the drop-down list
Application username: Select Email from the drop-down list
Select the appropriate option suited best for your identity with Okta and click on Finish.
We can then view and download the configuration metadata by clicking on “Identity Provider Metadata.”
Adding Users in Okta
Go to Applications → Applications.
Click on the arrow beside the app that you had created and then click on Assign to Users.
Click on add a user and fill in the required details and click on Save.
Configuring Sectona PAM for Okta SAML Authentication
Login to Sectona PAM as admin, Go to Configuration → AD & Directory Store → Click on add Ad & Directory Story.
Fill in the following details:
Directory Name: Provide a suitable name
Authentication Type: Select ‘Generic SAML’ from the drop-down list
Directory Store Type: Select ‘SAML’ from the drop-down list
Issuer: Provide the URL where your PAM is installed
Logon URL: This is present in the metadata file. You will find two SingleSignOnService Location tags in the metadata file. Choose the URL which is distinctive for the HTTP-POST method. Copy that URL and paste it into this field.
Logout URL: Disbled for OktaSAML.
Logon Binding: This will be auto-filled in PAM
Open your metadata file. Copy the text present in <ds:X509Certificate> tag. Paste it in a notepad and save it as a .crt file. Upload that file as the certificate file and then click Save.
Go to Manage → User → Assign the created directory store to the user to complete the configuration.
To show Logon with SAML option on Sectona logon screen, Go to System → System Defaults → User Logon Show SAML Option → Set the config value as 1.