Configuring Single Sign-On using Okta

Okta provides secure identity management software that lets you connect any person with any application on any device using Single Sign-On (SSO).

Perform the following steps for configuring SSO:

• Configure SSO on the vManage UI
• Configure SSO on the Okta website

To configure SSO on the vManage UI:

1. In vManage, click Administration ► Settings ► Identify Provider Settings ► Edit.

2. Click Enabled.

3. Navigate to Click here to download the SAML metadata and save the content in a file. This data will be used for configuring Okta.
4. In Metadata, you need the following information to configure Okta with vManage:

To configure SSO on the Okta website:

1. Log on to the Okta website.
2. Create a username using your email address.
   Make sure you are using the Classic UI view on Okta. If not, change your view to the Classic UI view by clicking on the Admin button in the upper-right corner.
3. On the next page in the upper-left corner, switch from the Developer Console view to the Classic UI view.
4. Navigate to Add applications ► Add application.
5. Select SAML 2.0 and click Create.
6. Use a string for Application name.
7. (Optional) Upload a logo and then click Next.
8. At SAML Settings, add the SSO URL using the samlLoginResponse URL from the downloaded metadata from the vManage UI.
9. Copy the entityID string and paste it in the Service Provider ID field.
10. For Name ID format, select EmailAddress and then click Enter.
11. For Application username, select Okta username.
12. For Show Advanced Settings, enter the fields as indicated below.

Component	Value	Configuration
Response	Signed
Assertion Signature	Signed
Signature Algorithm	RSA-SHA256
Digest Algorithm	SHA256
Assertion Encryption	Encrypted
Encryption Algorithm	AES256-CBC
Key Transport Algorithm	RSA-OAEP
Encryption Certificate		Copy the encryption certificate from the metadata you downloaded. Go to www.samltool.com and click on X.509 CERTS, paste there. Click Format X.509 Certificate. Make sure to remove the last empty line and then save the output (X.509.cert with header) into a text file encryption.cer. Upload the file. The Firefox browser may not allow you to do the upload. You can use the Chrome browser, however. You should see the certificate information after uploading to Okta.
Enable Single Logout		Make sure this is checked.
Single Logout URL		Get from the metadata.
SP Issuer		Use the entityID from the metadata.
Signature Certificate		Obtain from the metadata. Format the signature certificate using www.samltool.com as done above. Save to a file, for example, signing.cer and upload.
Authentication context class	X.509 Certificate
Honor Force Authentication	Yes
SAML issuer ID string	SAML issuer ID string
Attributes Statements (optional)	Name ► Username Name format (optional) ► Unspecified Value ► user.login
Group Attribute Statements (optional)	Name ► Groups Name format (optional) ► Unspecified Filter ► "Regex" - ".*"

13. Click Next.
14. For App type, check This is an internal app that we have created (optional).
15. Click Finish.
    This brings you to the Okta application page.
16. Click on View Setup Instructions.
17. Copy the IDP metadata.
18. Navigate back to the vManage UI.
19. Click on Identity Provider Settings.
20. Paste the IDP metadata that you copied on to Upload Identity Provider Metadata, and then click Save.

To assign users to the application in Okta:

1. On the Okta application page, navigate to Assignments ► People ► Assign.
2. Select Assign to people from the drop-down menu.
3. Click on Assign next to the user(s) you selected and click Done.
4. To add a user, click on Directory ► Add Person ► Save.