Okta Integration

Prerequisites:

• An active Okta account
• Okta admin privileges
• OneLogin tenant with admin access

Support Note:

Expedient will assist with configuring and troubleshooting from the OneLogin tenant. Client is responsible for the configuration on the Okta tenant.

Configure Okta: 

1. Open the Okta portal (https://clientname.okta.com) and login as the admin account.
2. Click the Admin button at the top of the page

   1. 

3. You'll be prompted for MFA, accept.
4. Click on the arrow next to Applications and click Applications:

   1. 

5. Click Browse App Catatlog

   1. 

6. Search for "SAML" and click SAML Service Provider

   1. 

7. Click the Add button

   1. 

8. Give it a cool and hip name and click Next.

   1. 

9. On this page, we need to do a few things. First, click the View Setup Instructions button. This will open a new tab that contains pertinent information for the OneLogin side. Second, fill in Assertion Consumer URL with "https://yourtenantname.onelogin.com/access/idp". Third, we'll need to get this piece of information from the OneLogin side. Put something temporary in here like the client's OneLogin URL. Fourth, change the username format to Email.

   1. 

10. Click Save

Configure OneLogin

1. Login to OneLogin as an admin. Click Administration at the top of the page.
2. Mouse over Authentication and click Trusted IdPs
3. Click New Trust
4. Give the trust a name e.g. "Azure AD - Expedient"
5. Scroll to the bottom and look for SP Entity ID
   1. 
6. Copy and paste this to a text editor

Phase 2 of Okta Configuration

1. Click Edit and paste in the SP Entity ID into the  Service Provider Entity Idfield.
   1. 

Phase 2 Of OneLogin Configuration

1. Open the tab that contains the Okta SAML Setup Instructions
2. In the window, click on the CLICKING HERE link to download the certificate from Okta. Also, copy and paste the Issuer to a text editor. You'll also need the Embed Link 
   1. NOTE: Make sure you don't copy and paste the "is" at the front. There's no space there for some reason.
   2. 
3. You'll also need the Embed Link from the General section of the app. This will be our IdP Login URLon the OneLogin side
   1. 
4. Go back to the OneLogin admin page
5. Click Show In Login Paneland point the Login Icon to what the client would like to show up.
   1. This is publicly available: https://www.okta.com/sites/default/files/Okta_Logo_BrightBlue_Medium.png
6. Put the Issuer in OneLogin as the Issuer
   1. 
7. Check Sign users into OneLogin and Send Subject Name ID or Login Hint in Auth Request
8. Set the User Attribute to Email
9. Configure the IdP Login URL with the Embed Link from earlier.
10. Leave the Logout URL blank. This allows users to log out of apps without completely logging out of Okta.
    1. 
11. Open the certificate you downloaded in a text editor and paste the full contents into the Certificate field
    1. 
12. Go back to the top and click Enable Trusted IdP.
13. Click Save to save the settings.

Finish the Okta Configuration

1. Go to the Assignments tab of the app and click the Assign button and then Assign To People (you can also choose Groups here).
   1. 
2. Click Assign next to the users you want to assign the app to:
   1. 
3. Click Save and Go Back to complete the assignment.
   1. 
4. Click Done and have the user refresh their My Apps page and they should see an icon for the app. If they click on it, it should log them into the OneLogin portal.
5. They should also be able to go to the OneLogin portal directly and click on the Okta button, which should redirect them to Okta to login and then back into the portal.
   1.