Skip to main content

Privacera Platform master publication

Portal SSO with Okta using SAML
:

Okta is a third-party identity provider, offering single sign-on (SSO) authentication and identity validation services for a large number of Software-as-a-Service providers. PrivaceraCloud works with Okta's SAML (Security Assertion Markup Language) interface to provide an SSO/Okta login authentication to the Privacera portal. For more information, see CLI configuration.

Integration with Okta begins with configuration steps in the Okta administrator console. These steps also generate a Privacera portal account-specific identity_provider_metadata.xml file and an Identity Provider URL that are used in the Privacera CLI configuration steps.

Prerequisites

To configure SSO with Okta , you need to configure and enable SSL for the Privacera Portal. See Enable CA Signed Certificates or Enable Self Signed Certificates.

Note

To use Okta SSO with Privacera portal, you must have already established an Okta SSO service account. The following procedures require Okta SSO administrative login credentials.

Generate an Okta Identity Provider Metadata File and URL
  1. Log in to your Okta account as the Okta SSO account administrator.

  2. Select Applications from the left navigation panel, then click Applications subcategory.

  3. From the Applications page, click Create App Integration.

    Note

    In addition to creating new applications you can also edit existing apps with new configuration values.

  4. Select SAML 2.0, then click Next.

  5. In General Settings, provide a short descriptive app name in the App name text box. For example, enter Privacera Portal SAML.

  6. Click Next.

  7. In the SAML Settings configuration page, enter the values as shown in the following table:

    Field

    Value

    Single sign on URL

    http://portal_hostname:6868/saml/SSO

    Audience URI (SP Entity ID)

    privacera_portal

    Default RelayState

    The value identifies a specific application resource in an IDP initiated SSO scenario. In most cases this field will be left blank.

    Name ID format

    Unspecified

    Application username

    Okta username

    UserID

    user.login

    Email

    user.email

    Firstname

    user.firstName

    LastName

    user.LastName

    Note

    If user’s login id is is not the same as the username, for example if user login id is email, this attribute will be considered as username in the portal. The username value would be email with the domain name (@gmail.com) removed. For example "john.joe@company.com", the username would be "john.joe". If there is another attribute which can be used as the username then this value will hold that attribute.

  8. Click Next.

  9. Select the Feedback tab and click I'm an Okta customer adding an internal app.

  10. Click Finish.

  11. From the General tab, scroll down to the App Embed Link section. Copy the Embed Link (Identity Provider URL) for PrivaceraCloud.

IdP provider metadata

In this topic, you will learn how to generate and save IdP provider metadata in XML format.

  1. Go to Sign On tab.

    > Settings, select the Identity Provider Metadata link located at the bottom of the Sign on methods area. The configuration file will open in a separate window.

  2. In the SAML Signing Certificates section, click the Generate new certificate button.

  3. In the list, click the Actions dropdown and select View IdP metadata.

    The XML file will be opened in a new tab.

    Note

    Make sure that the certificate you are downloading has an active status.

  4. Save the file in XML format.

Idp initiated SSO
  1. From Applications, login to the Okta Home Page Dashboard as a user by selecting the Okta Dashboard icon.

  2. Login to the Privacera Portal by selecting the newly added app icon.

CLI configuration
  1. SSH to the instance where Privacera is installed.

  2. Run the following command:

    cd ~/privacera/privacera-manager/
    cp config/sample-vars/vars.portal.saml.aad.yml config/custom-vars/
  3. Edit the vars.portal.saml.aad.yml file.

    vi config/custom-vars/vars.portal.saml.aad.yml

    Modify the SAML_ENTITY_ID. You need to assign the value of the Entity ID achieved in the above section. For property details and description, refer to the Configuration Properties below.

    SAML_ENTITY_ID: "privacera-portal"
    SAML_BASE_URL: "https://{{app_hostname}}:6868"
    PORTAL_UI_SSO_ENABLE: "true"
    PORTAL_UI_SSO_URL: "saml/login"
    PORTAL_UI_SSO_BUTTON_LABEL: "Azure AD Login"
    AAD_SSO_ENABLE: "true"
  4. Rename the downloaded Federation Metadata XML file as privacera-portal-aad-saml.xml. Copy this file to the ~/privacera/privacera-manager/ansible/privacera-docker/roles/templates/custom folder.

  5. Run the following command:

    cd ~/privacera/privacera-manager/
    ./privacera-manager.sh update
  6. If you are configuring the SSL in an Azure Kubernetes environment, then run the following command.

     ./privacera-manager.sh restart portal
Configuration properties

Property

Description

Example

AAD_SSO_ENABLE

Enabled by default.

SAML_ENTITY_ID

Get the value from the Prerequisites section.

privacera-portal

SAML_BASE_URL

https://{{app_hostname}}:6868

PORTAL_UI_SSO_BUTTON_LABEL

Azure AD Login

PORTAL_UI_SSO_URL

saml/login

SAML_GLOBAL_LOGOUT

Enabled by default. The global logout for SAML is enabled. Once a logout is initiated, all the sessions you've accessed from the browser would be terminated from the Identity Provider (IDP).

META_DATA_XML

Browse and select the Federation Metadata XML, which you downloaded in the Prerequisites section.

Validation

Go to the login page of the Privacera Portal. You will see the Okta Login button.

Configure SAML assertion attributes

By default, the following assertion attributes are configured with pre-defined values:

  • Email

  • Username

  • Firstname

  • Lastname

You can customize the values for the assertion attributes. To do that, do the following:

  1. Run the following commands.

    cd ~/privacera/privacera-manager/
    cp config/sample-vars/vars.portal.yml config/custom-vars/
    vi config/custom-vars/vars.portal.yml
  2. Add the following properties and assign your values. For more information on custom properties and its values, click here.

    SAML_EMAIL_ATTRIBUTE: ""
    SAML_USERNAME_ATTRIBUTE: ""
    SAML_LASTNAME_ATTRIBUTE: ""
    SAML_FIRSTNAME_ATTRIBUTE: ""
  3. Add the properties in the YAML file configured in the Configuration above.

     cd ~/privacera/privacera-manager/
    ./privacera-manager.sh update