Introduction
This article describes how to configure the Single Sign-On using OKTA IAAS with SES.
Description
OKTA is an IAAS provider which can be used to provide SSO over SAML 2.0 authentication with our Systran SES solution. This article describes, step by step, the configuration to do on OKTA & SES sides.
Configuration
1) Systran SES application declaration in OKTA platform
On OKTA dashboard, create a new application then into General section, fill the fields with following parameters
1.1) SAML Settings > General
Single Sign On URL | https://<SES_FQDN>/signin/callback |
Recipient URL | https://<SES_FQDN>/signin/callback |
Destination URL | https://<SES_FQDN>/signin/callback |
Audience Restriction | https://<SES_FQDN> |
Default Relay State | |
Name ID Format | EmailAddress |
Response | Signed |
Assertion Signature | Signed |
Signature Algorithm | RSA_SHA256 |
Digest Algorithm | SHA256 |
Assertion Encryption | Unencrypted |
SAML Single Logout | Disabled |
authnContextClassRef | PasswordProtectedTransport |
Honor Force Authentication | Yes |
SAML Issuer ID | https://<SES_FQDN> |
Below is an example
1.2) SAML Settings > Attributes Statements
Name | Name Format | Value |
userPrincipalName | Unspecified | user.login |
givenName | Unspecified | user.firstName |
familyName | Unspecified | user.lastName |
Unspecified | user.email |
Below is an example
Into Sign On section, click on SAML 2.0 View Setup Instructions as below
Then save the IDP & Issuer values & download certificate (they will be used on SES side).
2) Systran SES SAML configuration
Copy the OKTA certificate (okta.cert) into /opt/systran/apps-node/enterprise-server/certificates/saml
On Systran SES, go to Administration > Settings > Authentication settings > SAML settings and fill the fields with following values
Identity provider entry point | <The Identity Provider Single Sign-On URL provided by OKTA> |
Issuer | https://<SES_FQDN>/signin/callback |
Certificates | |
Identity provider signature public key | certificates/saml/okta.cert |
Service signature private key | Empty |
Service signature public key | Empty |
Decryption/Encryption private key | Empty |
Decryption/Encryption public key | Empty |
SAML Mapping | |
Mapping of identifier | nameID |
Mapping of given name | givenName |
Mapping of family name | familyName |
Mapping of email | |
Additionals | |
Accepted Clock skew | Empty |
Identifier format | Empty |
Signature algorithm | sha256 |
Attribute consuming service index | Empty |
Authentication context | |
Name identifier format | Empty |
Do not request specific authentication context | false |
Force re-authentication | false |
Use form authentication after signout
|
true |
Name identifier format for form authentication | EmailAddress |
Below is an example
Change the Authentication mode from local to saml the restart the Systran SES Console service
Linux (RedHat/CentOS 7)
systemctl restart systran-ses-console
Linux (RedHat/CentOS 6)
service systran-ses-console restart
3) Test SSO Authentication
User with no admin rights
Now you can login on SES by using your SSO credentials. After the first connection attempt, you may get this error message due to non admin rights
In that case, connect on SSH on SES then switch back from SAML to Local authentication mode:
mongo
use settings
db.settings.update({"settings.Auth.mode" : "saml"},{$set:{"settings.Auth.mode" : "local"}})
exit
And restart the Systran-SES-Console
Linux (RedHat/CentOS 7)
systemctl restart systran-ses-console
Linux (RedHat/CentOS 6)
service systran-ses-console restart
You can now relogin with admin@systran.fr account then go to Administration > Users, search for your SAML account then add the super role as below
You can now swtich back from Local to SAML authentication mode:
mongo
use settings
db.settings.update({"settings.Auth.mode" : "local"},{$set:{"settings.Auth.mode" : "saml"}})
exit
And restart the Systran-SES-Console
Linux (RedHat/CentOS 7)
systemctl restart systran-ses-console
Linux (RedHat/CentOS 6)
service systran-ses-console restart
User not assigned on OKTA
If the user is not allowed to access to Systran SES application, you may get this error message
In that case, the user or the group must be assigned to the application using the Admin > Application > Assignments section as below