How to integrate Security Center with Okta using SAML 2.0 - Security Center 5.12

Security Center Administrator Guide 5.12
Product
Security Center
Content type
Guides > Administrator guides
Version
5.12
ft:locale
en-US
Last updated
2025-01-28

Before Security Center can use Okta to authenticate users with SAML 2.0, setup is required in Config Tool and the Okta Admin Console.

This example shows how to set up third-party authentication with Okta using SAML 2.0. The procedure is divided into three sections:

  1. Preparing Security Center
  2. Preparing Okta
  3. Integrating Security Center with Okta
Security Center offers assisted identity provider configuration to ease third-party authentication with Okta. It provides the relevant information needed for the configuration.
NOTE: When you create an Authentication Service role with Provider:Other, Security Center does not offer much assistance in the identity provider configuration.
Creating a role: Authentication Service window in Config Tool shows assisted identity provider configuration.
At each step, the configuration wizard helps you with the following tasks:
  • Locating the properties in the Okta Admin Console
  • Understanding the significance of each property
  • Validating the properties before you can proceed
  • Accessing corresponding help topics

To implement third-party authentication, you must have administrator rights in Security Center and Okta.

IMPORTANT: This sample integration might differ from your requirements and the Okta Admin Console is subject to change. When setting up Okta, ensure that all steps are adapted to your specific situation.

1 - Preparing Security Center

  1. Open Config Tool and connect to the Security Center main server as an administrator.
  2. From the Config Tool homepage, open the System task and click the Roles view.
  3. Click Add an entity () > Authentication Service.
    Add an entity menu in Config Tool, with the Authentication Service role highlighted.

    The Creating a role: Authentication Service window opens.

  4. In the Specific info section, select the identity provider and the authentication protocol and click Next.
    Provider
    Okta
    Protocol
    SAML 2.0
    Creating a role: Authentication Service window in Config Tool, with the Okta identity provider and the SAML 2.0 protocol selected.
  5. Enter a name and optional description for the new Authentication Service role and click Next.
    Creating a role: Authentication Service window in Config Tool shows the Basic information fields for Okta.
  6. If there are partitions in your system, select the partition of which this role is a member and click Create.

    Partitions determine which Security Center users have access to this entity. Only users who have been granted access to the partition can see this role.

  7. From the App registration page, copy the redirect and logout URIs.

    For more information, see About role endpoints configuration.

  8. Click Suspend > Save.
    NOTE: The Suspend button allows you to save and exit the configuration wizard temporarily. You can suspend the configuration at any time during the process.
  9. On the Security Center main server, follow the instructions for your operating system to export the public key certificate used by the Security Center main server in X.509 format.
    NOTE: The certificate Common Name (CN) or Subject Alternative Name (SAN) must match the hostname, IP address, or Fully Qualified Domain Name (FQDN) that is used in the redirect and logout URIs.

    This public key is required by Okta to enable Single Logout. The Security Center certificate is shown in the Secure communication section on the Server Admin - Main server page.

    Server Admin - Main server page shows the Secure communication section.

2 - Preparing Okta

Before completing these steps in the Okta Admin Console, you must have the following prerequisites:
  • Have an Okta administrator account.
  • Have provisioned at least one user.
  • Have provisioned at least one user group that contains the users you want to grant access to Security Center.
  1. In the Okta Admin Console, select Applications > Applications and then click Create App Integration.
    Okta Admin Console shows the Create App Integration button on the Applications page.
  2. In the Create a new app integration wizard, select SAML 2.0 and click Next.
    Create a new app integration wizard in the Okta Admin Console, with SAML 2.0 selected.
  3. In the Create SAML Integration wizard, enter the App name and click Next.
    New Web App Integration page in the Okta Admin Console, with callouts to App integration name and Grant type.
  4. On the Configure SAML page, set the following:
    • Single sign on URL: Copied from the redirect URIs in Security Center
      NOTE: If more than one URI is required, deselect Use this for Recipient URL and Destination URL and enter the additional URIs as needed.
    • Audience URI (SP Entity ID): Enter urn:SecurityCenter
    • Name ID format: Select Persistent
    Configure SAML page in the Okta Admin Console, with callouts to Single sign on URL, Audience URI, and Name ID format.
  5. Still in the SAML Settings section, click Show Advanced Settings and set the following:
    Signature Certificate
    Upload the public key certificate exported from Security Center.
    Enable Single Logout
    Select the Allow application to initiate Single Logout option.
    Single Logout URL
    Copy the /genetec endpoint from the logout URIs in Security Center
    SP Issuer
    Enter urn:SecurityCenter
    Configure SAML page in the Okta Admin Console, with callouts to Single Logout settings.
  6. In the Attribute Statements section, set the following:
    Name
    login
    Name format
    URI Reference
    Value
    user.login
    Configure SAML page in the Okta Admin Console, with a callout to Attribute Statements.
  7. In the Group Attribute Statements section, set the following:
    Name
    groups
    Name format
    URI Reference
    Filter
    Matches regex .*
    NOTE: The Matches regex filter with .* returns all groups to which the authenticated user belongs.

    If required, you can also use this filter to exclude certain groups. At least one group assigned to Security Center must be included to grant access.

    Configure SAML page in the Okta Admin Console, with a callout to Group Attribute Statements.
  8. Click Next.
  9. On the Feedback page, select I'm an Okta customer adding an internal app, provide optional feedback, and click Finish.
  10. On the Sign On page for your application, do the following:
    1. Copy the Metadata URL.

      This is required by the Authentication Service role in Security Center.

    2. Click View SAML setup instructions.
    Application Sign On page in the Okta Admin Console, with callouts to Identity Provider metadata and View Setup Instructions.
  11. On the How to Configure SAML 2.0 for <application> page, download the X.509 Certificate.
  12. On the Assignments page for your application, assign the Security Center user groups to the application.
    Application Assignments page in the Okta Admin Console shows group assignments.

3 - Integrating Security Center with Okta

  • Before configuring an Authentication Service in Security Center, you must register the redirect and logout URIs in the Okta Admin Console.
  • The system validates the properties at each step before you can proceed.
  1. In Config Tool, select the Authentication Service role created earlier and click Configuration.

    The App registration page of the Creating a role: Authentication Service window opens and you can resume the configuration.

  2. On the App registration page, click Next.
  3. On the Communicate with provider page, click Start.
  4. In the Metadata section, enter the metadata URL and click Next.

    The metadata URL is available under the Sign On page in your Okta application.

  5. In the Communicate with provider section, select the following properties:
    Issuer
    Enter the Identity Provider Issuer that was copied from Sign On > View SAML setup instructions in Okta.
    Audience
    Available from General > Audience Restriction in Okta.

    Creating a role: Authentication Service window in Config Tool shows the Communicate window provider settings.

  6. Click Next.
  7. On the Accepted domains page, configure the Default provider option:
    • This option is turned off by default. When turned off, you must add at least one domain name of users who can authenticate using this Authentication Service.

      Creating a role: Authentication Service window in Config Tool shows the Accepted domains settings.

    • Turn on the Default provider option to use this identity provider to authenticate users from all domains.

      If you have multiple Authentication Service roles, only one role can be set as the default provider, and this option is disabled for all other roles.

      CAUTION:
      Turning on the Default provider option deletes all domain names that were previously added.
  8. Specify whether or not to use this identity provider as a logon option.

    If you select Yes, enter the name of the identity provider to be displayed on the logon screen with the text "Sign in with <display name>".

  9. Click Next.
  10. On the Claims and scopes page, enter the following properties:
    Username claim
    login
    Group claim
    groups
  11. Click Next.
  12. On the Groups page, click Add an item (), select an existing group or create a new user group, and click Next.
    Tip: You can export the list of active users from Okta Admin Console as a CSV file and import the group into Security Center. You can add one or more Security Center user groups with the same name or unique identifier as the groups assigned to the Security Center application in Okta.
  13. On the Test the configuration page, click Test logon to validate the configuration, and click Next.

    For more information, see Testing a third-party authentication setup.

  14. On the Creation outcome page, verify that the information is correct and click Next > Close.
Parent topic: Integration overview for third-party authentication using SAML 2.0
Browse