Setting Up Single Sign-on Integration

Okta SAML (Security Assertion Markup Language) provides authentication and authorization between Metacloud Identity (keystone) and your service provider. With Single Sign-on (SSO) integration, you no longer need to create individual username and password-based accounts for Metacloud users. This allows for easier integration across groups of users and different organizations in your environment.

To set up SSO using SAML, complete the following:

  • Create a group in Metacloud that is mapped to a group in your Identity Provider. See Setting Up Groups for Single Sign-on.
  • Create the Identity Provider Metadata file using your company’s Okta instance.
  • Ensure network access to the Metacloud API endpoint, the Metacloud Dashboard, and your company’s Okta instance from a single system.

Creating the Identity Provider Metadata File

You must add an application to your company’s Okta instance and create your Identity Provider Metadata XML file. The Metacloud Support team requires the IdP metadata file to configure and deploy SAML authentication for your users.

To create the Identity Provider Metadata XML file:

  1. Log in as an administrator to your company’s Okta instance.
  2. Click Admin on the top right of the Okta Dashboard.
  3. Select Applications from the Applications drop-down list.
  4. Click Add Application.
  5. Click Create New App and select SAML 2.0.
  6. Enter a name for your project and click Next.
  7. Enter your Availability Zone (AZ) url for single sign-on in the URL field. For example:

    https://<API-AZ.METACLOUD.NET>:5000/Shibboleth.sso/SAML2/POST

  8. Enter your AZ-specific entityID in SP Entity ID, for example:

    https://<API-AZ.METACLOUD.NET>:5000

  9. Select Unspecified for the Name ID format.
  10. Select Okta Username for the Application Username.
  11. Click Advanced Settings.
  12. Select Encrypted for Assertion Encryption and upload your Metacloud SAML certificate (mc-sp-cert.pem) in Encryption Certificate.
  13. Enter the following in one line in the Attribute Statements section:

    • name: urn:oid:0.9.2342.19200300.100.1.1
    • URI Reference
    • user.login
  14. Enter the following on one line in the Group Attributes section, to send all groups to Metacloud that the user is a member of:
    • name: groups
    • unspecified, regex, .*
  15. Click Next.
  16. Select Okta Customer, and Internal App, and then click Finish. Your Application Details page displays.
  17. Select the Sign On tab and click View Setup Instructions.
  18. Save the XML file located in the Optional section as Identity Provider Metadata and add it to the request you created for the Metacloud Support team.

The Metacloud Support team will then configure and deploy your Metacloud instance for single sign-on authentication.

Note
See the Okta help site Using the App Integration Wizard for more detailed information.