Okta - SAML Configuration - Onna Hosted

SAML 2.0 Integration

Onna offers Single Sign On (SSO) integration through SAML 2.0 (Secure Assertion Markup Language) with a variety of compliant identity providers, allowing you to leverage your existing user base and authentication mechanism to use the platform. There are only a few steps required to conﬁgure your Identity Provider (IdP) using the Onna Admin dashboard.

This guide walks you through setting up Onna as a Service Provider (SP). You will ﬁll-in information about your Identity Provider (IdP), the external 3rd party which your users will sign-in through, and will return credentials back to Onna in the form of a SAML assertion. On the other end, you will also need to conﬁgure your IdP to establish communication with the Onna SP. By default, provisioning is enabled for your account. The default role in Onna for users created by provisioning is ‘user’. In the event you wish to turn off provisioning for an account, please contact the Onna Support Team.

Once provisioning has been turned off, if a user has not been provisioned in Onna and attempts to use SSO identity to sign in, they will have no permissions until an Onna admin conﬁgures an Onna user for this identity.

To get started, open the Admin Preferences → Account → SAML with the proper administrator user:

The following settings are conﬁgurable under the SAML section.

Identity provider/IdPName: Choose any name that you prefer to identify this Identity Provider (IdP). We’ll refer to this value as IdPName in the rest of the document.
- This name will be displayed to the users in a selection box should you have more than one IdP. We suggest providing the ID in the following format:
  - youraccountname-identifyprovider
  - Example of how the IdP ID / IdPName should look: companyname-okta
IdP Issuer: The identity provider’s URL
SSO URL: The single sign-on URL of the SAML Identity Provider Login page that your users will be redirected to for logging in.
Certiﬁcate: The public x509 certiﬁcate of the SAML Identity Provider.

The next step is to conﬁgure your IdP so that it can establish communication with the Onna service provider. Below are the items that need to be conﬁgured. There are only a few items you need to ﬁll in with the main ones shown below:

Onna Audience Restriction URL:

https://enterprise.onna.com/auth/oauth/saml/metadata?idpId=IdPName
IdPName needs to be replaced with the name you chose to identify your IdP

Onna SAML Assertion Consumer Service:

https://enterprise.onna.com/auth/oauth/saml/?acs

Name id format:

The required nameid format is "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", so an email address is needed to identify the user in the system.
The email address must match exactly to the case for the user’s authentication to work. If the user was created in Onna with an all lowercase email, the id sent from your identity manager must also be lowercase.

All attributes listed below are required to complete the SAML conﬁguration with Onna.

user_id : email address
sn: last name
cn: ﬁrst Name
email: email address

Note:
The email address must match the letter case for the user’s authentication to work. If the user was created in Onna with an all lower case email, the id sent from your identity manager must also be lower case. In Okta, you can use the expression as String.toLowerCase(user.email) in user_id and email attributes to pass lowercase values.
Enabling Sign in through IdP

Enabling Sign in through IdP

In order to use an Okta ‘chiclet’ or similar solution, you must provide a value for the Default Relay State.

Default Relay State:

https://enterprise.onna.com/youraccount/signin?idpId=IdPName&scope s=youraccount
youraccount needs to be replaced by the account name in your Onna URL.
IdPName needs to be replaced with the name you chose to identify your IdP (see page 2 for more information)

Setting up Okta:

Here is a sample workﬂow using Okta as an Identity Management tool.

Create a new SAML 2.0 application in Okta
Give your app a name.
Conﬁgure SAML -There are a few items you need to ﬁll in - please see below.
- Single Sign-on URL: https://enterprise.onna.com/auth/oauth/saml/?acs
- Recipient: https://enterprise.onna.com/auth/oauth/saml/?acs
- Destination URL: https://enterprise.onna.com/auth/oauth/saml/?acs
- Audience Restriction URL: https://enterprise.onna.com/auth/oauth/saml/metadata?idpId=IdPName
  - IdPName needs to be replaced with the name you chose to identify your IdP (see page 2 for more information)
- Default Relay State: https://enterprise.onna.com/youraccount/signin?idpId=IdPName&scopes=your account
  - youraccount needs to be replaced by the account name in your Onna url.
  - IdPName needs to be replaced with the name you chose to identify your IdP (see page 2 for more information)
Only the attributes listed below are required to complete the SAML conﬁguration with Onna:
- user_id : email address
- sn: last name
- cn: ﬁrst Name
- email: email address
Note:
The email address must match the letter case for the user’s authentication to work. If the user was created in Onna with an all lower case email, the id sent from your identity manager must also be lower case. In Okta, you can use the expression as String.toLowerCase(user.email) in user_id and email attributes to pass lowercase values.
The next screen prompts: you are a customer (the rest of the questions are optional).
Click the View Setup Instructions button.
Use the values to complete the SSO setup in your Onna conﬁguration.
In Onna, the completed conﬁguration:

Delete SAML and SSO:

You can delete your own SAML and SSO conﬁguration in Onna from the Admin preferences.
To get started, open the Admin Preferences → Account → SAML with the proper administrator user.
Click on ‘Identity Provider’ and from the dropdown select the conﬁguration you would like to remove.
At the bottom of the screen, click ‘delete’ to permanently remove the SAML conﬁguration in Onna.

Okta - SAML Configuration - Onna Hosted - Enterprise