Setup SAML Identity Source via miniOrange Broker Service

Setup Okta as IDP for miniOrange Broker Service

0 views August 20, 2018 September 15, 2019 0

You can configure any IDP like Okta, OneLogin, ADFS, Azure AD which supports SAML to single sign-on into apps which doesn’t support SAML or any protocol for single sign-on. Like using our broker service you can sso into any app supporting other protocols like OAuth, OpenID Connect, JWT, etc.

Here we are giving steps to configure Okta as IDP & connect it with miniorange broker to single sign-on into WordPress using SAML protocol.

Note: Switch to Classic UI from Developer Console, by selecting the Developer Console from the upper right corner.

Steps:-
1. Goto Okta Developer site & navigate to Add Application or use following URL https://okta-domain-name/admin/apps/add-app

2. Click on Create New App. After this is shows popup select SAML 2.0 & click on Create on popup


3. Add App name then click Next.

4. Now use the following URL for Single sign-on URL & Audience URI (SP Entity ID) for creating App. Please add
For Cloud Version

Single sign on URL https://login.xecurify.com/moas/broker/login/saml/acs/<Your-customer-id>
Audience URI (SP Entity ID) https://login.xecurify.com/moas

For On-Premise Version

Single sign on URL http://<Your-Company-domain-name>/broker/login/saml/acs/<Your-customer-id>
Audience URI (SP Entity ID) http://locahost:8080

 

(In-case of  IDP initiated SSO using miniOrange broker)

Single sign on URL https://logins.xecurify.com/moas/login?id=<“customer-Id”>
Audience URI https://login.xecurify.com/moas

 

 

For Customer-ID, select Settings & copy Customer Key from the Server Settings section.

5. Add Attribute Statement & Group Attribute Statement if required & click on Next

6. Select Okta Configuration type & click on finish.

7. Navigate to Assigmment tab from Okta. Click on Assign & select Assign to People. Select the user from the popup & click on Done. You can also assign groups if required.

8. Now navigate to Sign on tab from Okta & select View Setup Instructions. After selection View Setup Instructions it will open new tab which contains Single Sign-On URL, Identity Provider Issuer & X.509 Certificate copy these data. These data is required for adding Identity Source in miniOrang

9. Now login to Your-Domain & navigate to “Identity Provider->Add Identity Source->SAML”.

10. Enter IdP Display Name & IdP Identifier. Also add following details

IdP Entity ID Identity Provider Issuer from Okta
SAML SSO Login URL Identity Provider Single Sign-On URL from Okta
X.509 Certificate X.509 Certificate from Okta

11. Click on save.

Now you have setup Connection between your IDP & miniOrange. Now its time to setup connection miniOrange & SP.

 

Signed SAML AuthN Request:

You can choose to enable signed SAML AuthN request so than IdP can verify that the contents have not been altered in transit.

Steps to configure:

1. Go to “Identity Providers” tab and choose the Identity Provider added above.

2. Find option “Sign SAML request” and enable the option

3. Signature Algorithm:

Choose Signature Algorithm from supported options SHA-256 and SHA-1

4. Configure Signing certificate in IdP:

Download signing certificate with steps below and configure it in your Identity Provider to verify Signed AuthN requests.

a. Go to “Identity Providers” tab

b. Find your configured IdP

c. Click “Certificate” link to download the certificate.

d. Configure the downloaded certificate in your IdP (e.g Okta).

 

Single Logout (SLO):

Single logout ensures that all sessions (SP and IDP) for a user are properly closed.

A. Configure miniOrange with IdP SLO endpoint:

a. Go to “Identity Provider” tab and edit the configured Identity Provider

b. Find the option “Single Logout URL” and configure SLO URL provided by your IdP.

B. Configure IdP with miniOrange SLO endpoint:

Configure your Identity Provider with below Single logout endpoint.

https://login.xecurify.com/moas/broker/login/saml_logout/<your-customer-id>

You can find “SSO Binding” option to configure logout binding type to either REDIRECT or POST