How to integrate Security Center with Okta using SAML 2.0 - Security Center 5.10

Security Center Administrator Guide 5.10
Applies to
Security Center 5.10
Last updated
2023-06-12
Content type
Guides > Administrator guides
Language
English
Product
Security Center
Version
5.10

Before Security Center can use Okta to authenticate users with SAML 2.0, setup is required in Config Tool and the Okta Admin Console.

This example shows the steps required to set up third-party authentication with Okta using SAML 2.0. The procedure is divided into the following sections:

  1. Preparing Security Center
  2. Preparing Okta
  3. Integrating Security Center with Okta

To implement third-party authentication, you must have administrator rights in Security Center and Okta.

IMPORTANT: This sample integration might differ from your requirements and the Okta Admin Console is subject to change. When setting up Okta, ensure that all steps are adapted to your specific situation.

1 - Preparing Security Center

  1. Open Config Tool and connect to the Security Center main server as an administrator.
  2. In Config Tool, open System > Roles and click Add an entity > Authentication Service.
    Add an entity menu in Config Tool, with the Authentication Service role highlighted.
  3. In the Creating a role: Authentication Service window, select SAML2 and click Next.
    Creating a role: Authentication Service window in Config Tool, with the SAML 2.0 protocol selected.
  4. Enter a name and optional description for the new Authentication Service role and click Next.
    Creating a role: Authentication Service window in Config Tool showing the Basic information fields for Okta.
    NOTE: If your system has multiple partitions, you can also add the new role to a specific partition here.
  5. On the Summary page, ensure all the information is correct, click Create, and click Close.
  6. In the newly created role, click the Network endpoint tab.
  7. On the Network endpoint page, copy the redirect and logout URIs. These are needed to configure the Okta Single sign on URL and Single Logout URL.
    NOTE: You might need to restart the System task to see the endpoint URIs.

    The same URIs are used for OIDC and SAML 2.0. These URIs must be reachable from all clients using Single Sign-On.

    Network endpoint page of the Authentication Service role in Config Tool showing redirect and logout URIs.
  8. On the Security Center main server, follow the instructions for your operating system to export the public key certificate used by the Security Center main server in X.509 format.
    NOTE: The certificate Common Name (CN) or Subject Alternative Name (SAN) must match the hostname, IP address, or Fully Qualified Domain Name (FQDN) that is used in the redirect and logout URIs.

    This public key is required by Okta to enable Single Logout. The Security Center certificate is shown in the Secure communication section on the Server Admin - Main server page.

    Server Admin - Main server page showing the Secure communication section.

2 - Preparing Okta

Before completing these steps in the Okta Admin Console, you must meet all of the following prerequisites:
  • Have an Okta administrator account.
  • Have provisioned at least one user.
  • Have provisioned at least one user group that contains the users you want to grant access to Security Center.
  1. In the Okta Admin Console, select Applications > Applications and then click Create App Integration.
    Okta Admin Console showing the Create App Integration button on the Applications page.
  2. In the Create a new app integration wizard, select SAML 2.0 and click Next.
    Create a new app integration wizard in the Okta Admin Console, with SAML 2.0 selected.
  3. In the Create SAML Integration wizard, enter the App name and click Next.
    New Web App Integration page in the Okta Admin Console, with callouts to App integration name and Grant type.
  4. On the Configure SAML page, set the following:
    • Single sign on URL copied from the redirect URIs in Security Center
      NOTE: If more than one URI is required, select Allow this app to request other SSO URLs and enter the additional URIs as needed.
    • Audience URI (SP Entity ID) enter urn:SecurityCenter
    • Name ID format select Persistent
    • Configure SAML page in the Okta Admin Console, with callouts to Single sign on URL, Audience URI, and Name ID format.
  5. Still in the SAML Settings section, click Show Advanced Settings and set the following:
    • Enable Single Logout
    • Single Logout URL the /genetec endpoint copied from the logout URIs in Security Center
    • SP Issuer enter urn:SecurityCenter
    • Signature Certificate upload the public key certificate exported from Security Center
    Configure SAML page in the Okta Admin Console, with callouts to Single Logout settings.
  6. In the Attribute Statements section, set the following:
    Name
    login
    Name format
    URI Reference
    Value
    user.login
    Configure SAML page in the Okta Admin Console, with a callout to Attribute Statements.
  7. In the Group Attribute Statements section, set the following:
    Name
    groups
    Name format
    URI Reference
    Filter
    Matches regex .*
    NOTE: The Matches regex filter with .* returns all groups to which the authenticated user belongs.

    If required, the filter can also be used to exclude certain groups. At least one group assigned to Security Center must be included to grant access.

    Configure SAML page in the Okta Admin Console, with a callout to Group Attribute Statements.
  8. Click Next.
  9. On the Feedback page, select I'm an Okta customer adding an internal app, provide optional feedback, and click Finish.
  10. On the Sign On page for your application, do the following:
    1. Copy the Identity Provider metadata URL. This is the Metadata URL required by the Authentication Service role in Security Center.
    2. Click View Setup Instructions.
    Application Sign On page in the Okta Admin Console, with callouts to Identity Provider metadata and View Setup Instructions.
  11. On the How to Configure SAML 2.0 for <application> page, download the X.509 Certificate.
  12. On the Assignments page for your application, assign the Security Center user groups to the application.
    Application Assignments page in the Okta Admin Console showing group assignments.

3 - Integrating Security Center with Okta

  1. On the Security Center main server, follow the instructions for your operating system to import the Okta certificate.
    NOTE: You might need to restart Windows for the certificate to take effect.
  2. In Config Tool, open the Authentication Service role that was created earlier, and click the Properties tab.
  3. Complete the properties as follows:
    Display name
    When logging on to Security Center, third-party authentication options are each presented as a button with the text "Sign in with <display name>".
    Metadata URL
    Enter the Identity Provider metadata URL that was copied from Okta.
    Audience
    urn:SecurityCenter
    Domain names
    The domain names of users who will authenticate using Okta, such as genetec.com. You must have at least one.
    Username assertion
    login
    Group assertion
    groups

    Leave all other properties with the default value.

  4. Click Apply.
  5. Create one or more user groups with the exact same name as the groups assigned to the Security Center application in Okta.
  6. Add groups authorized to connect using Okta to the User groups list in Authentication Service role.
Parent topic: Integration overview for third-party authentication using SAML 2.0