Before Security Center can use Okta to authenticate users with SAML 2.0, setup is required in Config Tool and the Okta Admin Console.
This example shows the steps required to set up third-party authentication with Okta using SAML 2.0. The procedure is divided into the following sections:
To implement third-party authentication, you must have administrator rights in Security Center and Okta.
1 - Preparing Security Center
- Open Config Tool and connect to the Security Center main server as an administrator.
- In Config
Tool, open and click .
- In the Creating a role: Authentication Service window,
select SAML2 and click Next.
- Enter a name and optional description for the new Authentication Service role
and click Next.NOTE: If your system has multiple partitions, you can also add the new role to a specific partition here.
- On the Summary page, ensure all the information is correct, click Create, and click Close.
- In the newly created role, click the Network endpoint tab.
- On the Network endpoint page, copy the redirect and
logout URIs. These are needed to configure the Okta Single
sign on URL and Single Logout
URL.NOTE: You might need to restart the System task to see the endpoint URIs.
The same URIs are used for OIDC and SAML 2.0. These URIs must be reachable from all clients using Single Sign-On.
- On the Security Center main server,
follow the instructions for your operating system to export the public key
certificate used by the Security Center
main server in X.509 format.NOTE: The certificate Common Name (CN) or Subject Alternative Name (SAN) must match the hostname, IP address, or Fully Qualified Domain Name (FQDN) that is used in the redirect and logout URIs.
This public key is required by Okta to enable Single Logout. The Security Center certificate is shown in the Secure communication section on the Server Admin - Main server page.
2 - Preparing Okta
- Have an Okta administrator account.
- Have provisioned at least one user.
- Have provisioned at least one user group that contains the users you want to grant access to Security Center.
- In the Okta Admin Console, select Create App Integration.
- In the Create a new app integration wizard, select
SAML 2.0 and click Next.
- In the Create SAML Integration wizard, enter the
App name and click Next.
- On the Configure SAML page, set the following:
- Single sign on URL copied from the
redirect URIs in Security CenterNOTE: If more than one URI is required, select Allow this app to request other SSO URLs and enter the additional URIs as needed.
- Audience URI (SP Entity ID) enter urn:SecurityCenter
- Name ID format select Persistent
-
- Single sign on URL copied from the
redirect URIs in Security Center
- Still in the SAML Settings section, click Show
Advanced Settings and set the following:
- Enable Single Logout
- Single Logout URL the /genetec endpoint copied from the logout URIs in Security Center
- SP Issuer enter urn:SecurityCenter
- Signature Certificate upload the public key certificate exported from Security Center
- In the Attribute Statements section, set the following:
- Name
- login
- Name format
- URI Reference
- Value
- user.login
- In the Group Attribute Statements section, set the following:
- Name
- groups
- Name format
- URI Reference
- Filter
- Matches regex
.*NOTE: The Matches regex filter with
.*
returns all groups to which the authenticated user belongs.If required, the filter can also be used to exclude certain groups. At least one group assigned to Security Center must be included to grant access.