AIG SAML Integration With Okta

Owned by Subrat Sandilya
Last updated: Aug 13, 2024
6 min read

Adeptia Connect Cloud Configuration Document

Learning Objective

In this documentation, we will focus on integrating Adeptia Connect with Okta, a leading Identity Cloud platform known for its security and neutrality. We will explore how to configure Adeptia Connect to work with Okta as an IDP, as well as the process for adding additional IDPs if needed. By the end of this session, you'll be equipped to implement a robust SSO solution within your organization's Adeptia Connect environment, ensuring streamlined access while maintaining security.

Introduction

In today's digital landscape, ensuring secure and efficient user authentication across multiple platforms is critical. Single Sign-On (SSO) simplifies the user experience by allowing one set of credentials to access multiple applications. Adeptia Connect 4.x supports SSO through SAML, an XML-based protocol that allows the secure exchange of authentication data between an Identity Provider (IDP) and a Service Provider (SP).

Requirement 

To implement single sign-on in our Adeptia Connect 4.x using SAML with multiple IDPs. Here we are integrating with Okta (Identity Cloud is an independent and neutral platform that securely connects.) and single sign-on by using SAML in Adeptia Connect.

Implementation Steps

Below are the high-level steps of SAML integration with Okta in Adeptia Connect.

  1. Creating Application in Okta

    1. Sign up in Okta and create a company domain in Okta.

  1. Login into Okta with the credential after activating the email sent by Okta in your registered email ID.

Expand Applications > Click on Applications > Select Create App Integration

  1. Click Add Application and create an application with a sign-on method SAML 2.0. 

  1.  Configure General Setting, Add Name, and click Next.

Uploading Connect Portal SP MetaData into Okta Server

  1. Configure the URL of the Connect portal and Audience URI (Sp Entity Id), for configuring Single Sign-on URL and Audience URI (Sp Entity Id), you can first hit the URL: <protocol_name>://<ip_address>:<port_number>/saml2/service-provider-metadata/<registration_Id>

  2. it will download the file "spring_saml_metadata.xml".    

       For Example: https://<<AIG domain name>>/saml2/service-provider-metadata/default

  1. Open the metadata SAML file from the URL file and copy the data of "entityID".

  Entity ID 

Login URL

Logout URL

  1. Configure the feedback option and click the finish button.

  1. Placing IdP Metadata within Adeptia Connect

  2. When you finish, you will go to SAML sign on, and click the view setup instruction to look at IDP metadata.

  1. Copy the below IDP metadata and create Idp.xml with this IDP metadata.

  1. Go to the Adeptia Connect directory SAML folder and place this file.

  2. Enabling SAML in Adeptia Connect 

    1. Login into Connect Portal and enable SAML for the application by using the link below and restart the Portal Microservices.

Enable SAML Documentation Link

  1. Assigning and Creating Users in Okta and Adeptia Connect: Then Go to Assignment and assign your app to User (The same user should be created in Adeptia Connect as a Partner User). Roles also can be configured in Okta which will be sent by Okta to the Adeptia Application as attribute details. 

<saml2:Attribute Name="Roles" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">North America Program Onboarding Design,North America Program Onboarding Approver</saml2:AttributeValue>

</saml2:Attribute>

  • Now when you go to the AIG DEV application URL, it will redirect to your Okta sign-in Page. Login into Okta, and it will redirect you to the application successfully. 

  • In the application, a user will be logged in with the default role assigned at the time of user creation in Adeptia Connect. 

  • If a user has more than one role in the application then it will give you the option to select the role from which the user wants to log in after redirecting you in the application.

  • IDP SSO Initiated URL 

    • After successful integration with Okta, we can use the IDP SSO Initiated URL as well to log into the AIG DEV Adeptia Application. Go to the 

App Embed Link

Reference: 1.  Okta Documentation Link: https://www.okta.com/integrate/documentation/saml/

AIG AC4  OKTA SAML SSO Configuration (Internal Configurations)

 

  1. Go to portal deployment value.yaml

  2. Search the property SAML_SSO_ENABLE and change the value ‘false’ to ‘true’ to enable SAML SSO in AC4.

  1. Then search SAML_SSO_METADATA_GENERATOR_ENTITY_BASE_URL property and change the default value(https://ac-webapp-gateway) from application URL like https://aig-dev.adeptia.com

  1. Then search SAML_SSO_IDPS_CONFIGURATION_0_METADATA_LOCATION property and put the client IDP metadata xml 

 file:///shared/SAML/<<client metadata file>>

  • SAML_SSO_IDPS_CONFIGURATION_0_METADATA_LOCATION

    • Value: file:///shared/SAML/Okta_metadata-Adeptia.xml

    • This configuration parameter points to the metadata location file for the first SAML IdP configuration. The file is named "Okta_metadata-Adeptia.xml" and is stored in the /shared/SAML/ directory.

  • SAML_SSO_IDPS_CONFIGURATION_0_REGISTRATION_ID

    • Value: default

    • This parameter sets the registration ID for the first SAML IdP configuration. The value "default" likely indicates that this is the primary or default SAML IdP.

  • SAML_SSO_IDPS_CONFIGURATION_1_METADATA_LOCATION

    • Value: file:///shared/SAML/SAML-AIG-Adeptia-Dev.xml

    • This parameter points to the metadata location file for the second SAML IdP configuration. The file is named "SAML-AIG-Adeptia-Dev.xml" and is stored in the /shared/SAML/ directory.

  • SAML_SSO_IDPS_CONFIGURATION_1_REGISTRATION_ID

    • Value: Azure

    • This parameter sets the registration ID for the second SAML IdP configuration. The value "Azure" suggests that this configuration is associated with an Azure-based SAML IdP.

  1.  Add the below property in to the portal deployment for OKTA SSO

name: SAML_SSO_METADATA_GENERATOR_ENTITY_ID

          value: testing → Example value

  1. Import the client okta certificate (.cer) into Adeptia truststore (cacerts) file (optional)

  2. You can download AIG-DEV application metadata by using following link <protocol_name>://<ip_address>:<port_number>/saml2/service-provider-metadata/<registration_Id>

For Example:- https://aig-dev.adeptia.com/saml2/service-provider-metadata/default

  1. “We successfully logged into the application with custom roles configured in Okta, but role switching is disabled when using a custom bean class and enabled when using the default bean class.” To successfully achieve role-switching perform the below-mentioned statement.

Solution: When we set true to the property SAML_SSO_ROLE_SWITCHING_ENABLE  then after logging successfully in the AIG application with custom role, we can see switch role functionality as well.