Okta as an external IDP
You can integrate STA with an external identity provider (IDP) to redirect network traffic from STA to the external IDP for user authentication. STA remains the primary IDP while orchestrating the use of an external or secondary IDP.
The external IDP can be either an exclusive authentication method or the second authentication method. It cannot be the first authentication method in a multi-factor authentication environment.
In this documentation, Okta is used as an external IDP.
Integrating STA with Okta requires:
Create an application in Okta
Create an application in Okta with STA as an OpenID Connect (OIDC) application.
As a prerequisites, obtain the STA Redirect URI.
-
On the STA Management Console, select Settings > External Identity Provider. If this is the first external IDP that you are adding, select Setup.
-
On the External Identity Provider page, select Set up new IDP.
-
Under Redirect URI, select Copy to copy the redirect URI, and paste it in a text editor for future use.
Configuring STA as an OIDC application in Okta requires:
Register an OIDC application
Register STA as an OIDC application in Okta:
-
Log in to the Okta administrative dashboard as an administrator.
-
In the left pane, select Applications > Applications.
-
On the Applications window, select Create App Integration.
-
On the Create a new app integration window, perform the following steps:
-
Under Sign-in method, select the OIDC-OpenID Connect option
-
Under Application type, select the Web Application option.
-
Select Next.
-
-
On the New Web App Integration window, perform the following steps:
-
In App integration name field, enter a name for the application (for example, SafeNet Trusted Access).
-
Under Grant type, under Client acting on behald of a user, select the Authorization Code checkbox.
-
Under Sign-in redirect URIs, replace the URL with the STA redirect URI that you obtained as a prerequisite.
-
Under Assignments, select the Skip group assignment for now option.
-
Select Save.
-
-
Your application (for example, STA) window is displayed. From the General tab, copy the values of the Client ID and CLIENT SECRETS fields and paste them in a text editor. You need these values when you add Okta as an external IDP in STA.
-
On the General tab, select Edit.
-
Scroll down to the Login settings, and for the Initiate login URI, add the STA redirect URI that you obtained as a prerequisite.
-
Go to the Assignments tab. To assign the application to either People or Groups, select Assign > Assign to People or Assign > Assign to Groups, respectively.
Configure claims
You need to configure an ID token because STA looks for the ID token value after a user gets authenticated by the external IDP (here, Okta).
-
On the dashboard, in the left pane, select Security > API.
-
On the API window, on the Authorization Servers tab, in the Name column, select default to open the authorization server settings.
-
Perform the following steps:
-
On the Settings tab, copy the value of the Metadata URI field and paste it in the text editor. You need this value when you configure Okta as external IDP in STA.
-
Go to the Claims tab. Under Claim type, select ID and verify that the claim has a valid Name and Value. If not, select Add Claim to configure a claim.
-
On the Add Claim window, perform the following steps:
-
In the Name field, enter a name for the claim (for example, ID or mail).
The claim name cannot be sub because it is already used in the access token as the default claim. You need to remember the claim name because you use it when you set up Okta as external IDP in STA.
-
Under Include in token type, in the first list, select ID Token and in the second list, select Always.
-
In the Value type field, select Expression.
-
In the Value field, enter (appuser != null) ? appuser.userName : app.clientId or you can enter the same value that is already defined in the access token.
-
Select Create.
-
-
Add Okta as an external IDP
Perform the following steps to add Okta as an external IDP in STA:
-
On the STA Management Console, select Settings > External Identity Provider.
-
On the External Identity Provider window, on the top-right side, click Edit.
-
Under Display Names, perform the following steps:
-
In the IDENTITY PROVIDER NAME field, enter a name for your IDP (for example, Okta).
-
In the CREDENTIALS NAME field, enter the authentication method that the external IDP uses (for example, Password).
In policies, such names are used to identify the external IDP in the format, [Identity Provider Name] ([Credentials Name]) (for example, Okta (Password)).
-
-
Under Server Details, perform the following steps:
-
In the CLIENT ID field, enter the client identifier that you copied earlier in step 6 of Registering an OIDC Application. This is the OIDC application (client) ID that is used to identify Okta.
-
In the CLIENT SECRET field, enter the shared secret that you copied earlier in step 6 of Registering an OIDC Application. STA sends the OIDC shared secret to authenticate the redirection request using Okta.
-
In the WELL-KNOWN CONFIGURATION ENDPOINT field, enter the Metadata URI of Okta that you copied earlier in step 3a of Configuring Claims.
-
Click Load to populate the Endpoint URLs and the Issuer fields.
-
-
Under User Mapping, perform the following steps:
-
In the REQUEST USER IDENTIFIER field, ensure that E-mail address is selected. This is the STA user attribute that is sent in the authentication request to the external IDP.
-
In the VERIFICATION USER IDENTIFIER field, ensure that E-mail address is selected. The identifier is generally identical to the request user identifiers. This is the STA user attribute that is used to match with the content of the specified ID token claim.
-
In the VERIFICATION CLAIM NAME field, enter the name of your claim (for example, ID) that you added in step 3c of Configuring Claims. This is the claim present in the returned ID token that contains the user identifier to be verified.
The solution is tested with the E-mail Address user attribute that is used for user mapping. You can configure user mapping as per your preferred configuration.
-
-
Select Save.
Add Okta in a policy
The external IDP Okta is now an authentication method that you can add in STA policies and authentication scenarios.
-
On the STA Management console, select the Policies tab.
-
Select the icon to add a new policy or a scenario.
-
Enter a name and a description for the policy.
-
Under Scope, select the users and the applications on which you want to apply the policy.
-
Under Decision > Authentication methods, select the authentication method as per your preferred configuration.
-
Under External identity provider, select the Okta (Password) as the external IDP, which you added earlier.
-
Select Save.
For more information, refer to the Add a Policy section in the STA Online Documentation.
Verify Authentication
Using the STA console
Navigate to the end application SSO URL.
You are redirected to your STA sign-in page. Enter your primary directory login information, approve the two-factor authentication, and you should be redirected to the Okta sign-in page. Enter your Okta login credentials and you should be redirected to the application dashboard.
Using the STA user portal
Navigate to the user portal URL to log in to the STA user portal dashboard. On the dashboard, you see a list of applications to which you have access. Click on the end application icon, you should be redirected to the Okta sign-in page. Enter your Okta login credentials and you should be redirected to the application dashboard.