Configure Okta SAML Authentication for BeyondInsight and Password Safe
Configuring BeyondInsight and Password Safe to use Okta SAML authentication involves configuring the SAML application with BeyondInsight SAML information in the Okta admin portal and then configuring the SAML identity provider settings for Okta in the BeyondInsight console. The configuration for each of these is detailed the below sections.
Configure SAML Application in Okta
To configure a new SAML application for BeyondInsight and Password Safe in Okta, follow the below steps.
- Click Create New App.
- Select SAML 2.0 as the sign-in method.
- Click Create.
- Enter the application name, and then click Next.
- Enter the single sign on URL:
- Check the Use this for Recipient and Destination URL box.
- Enter the audience URI (SP entity ID):
- From the Application username list, select Okta username.
SLO Optional Setting
- Click Show Advanced Settings.
- Select Enable Single Logout.
- Fill in the Single Logout URL:
- Fill in the SP Issuer: HTTPS://<FQDN>/eEye.RetinaCSSAML/.
- Select the SP Public Certificate.cer certificate.
- Click Upload Certificate.
- Add attributes, and then click Next.
- Name: (required)
- Email: (optional)
- GivenName: (optional)
- Surname: (optional)
- Group: (required) - Set as a literal. This must match the group created in BeyondInsight or imported from AD. If an AD group is used, it must match the BI format Domain\GroupName.
- Select appropriate settings for Okta support, and then click Finish.
Find IdP Information
- Click View Setup Instructions.
- Copy the Identity Provider Single Sign-On URL. Save the value to be used in the next step.
- Copy the Identity Provider Issuer. Save the value to be used in the next step.
- Click Download certificate.
Configure SAML Identity Provider in BeyondInsight
To configure a new SAML identiy provider for Okta in BeyondInsight, follow the below steps.
- Navigate to Configuration > Authentication Management > SAML Configuration.
- From the SAML Identity Providers pane, click Create New SAML Identity Provider.
- Provide a name for the new SAML identity provider (IdP).
- Complete the Identity Provider Settings as follows:
- Check the Default Identity Provider option if you have more than one IdP for the same service provider (SP), and would like this IdP to be used as default for SP initiated logins. This is useful in the case where a user accesses the SAML site access URL without providing an IdP. Also, when a user clicks the Use SAML Authentication link from the BeyondInsight login page, they are redirected to the default IdP's site for authentication.
- Identifier: Enter the Okta value Identity Provider Issuer.
- Single Sign-on Service URL: Enter the Okta value Identity Provider Single Sign-On URL.
- SSO URL Protocol Binding: Select HTTP Post as the type.
- Single Logout Service URL: Enter the Okta value Identity Provider Single Logout URL.
- SLO URL Protocol Binding: Select HTTP Post as the type.
- Encryption and Signing Configuration: Check applicable boxes to enable options, based on your Okta settings. A typical configuration is shown; however, depending on your Okta settings, some configuration selections may be different.
- Signature Method: Select the method, as is required by Okta.
- Current Identity Provider Certificate: Upload the Okta X.509 certificate.
- User Mapping: Select the type of user account from the dropdown. This indicates how user claims from the SAML provider are mapped in the BeyondInsight User database.
- None: This is the legacy type of mapping, which is not based on type of user.
- Local: Select this option for local user account claims. BeyondInsight maps the user and group name.
- Azure Active Directory: Select this option for Azure Active Directory user account claims. When selected, BeyondInsight maps the ObjectID attribute to the AppUser and UserGroup attributes for the user.
- Active Directory: Select this option for Active Directory user account claims. If the claims are configured to pass the SID of the user and group, BeyondInsight maps the SID for the user and group, which is preferred over mapping domain name and group name attributes.
- The following Service Provider Settings are auto-generated by BeyondInsight:
- Entity ID: This is the fully qualified domain name, followed by the file name: https://<serverURL>/eEye.RetinaCSSAML/. This is used for audience restriction.
- Assertion Consumer Service URL: The HTTPS endpoint on the service provider where the identity provider redirects to with its authentication response. .
- Click Create SAML Identity Provider.
Once the SAML configuration is saved, a public SP certificate is available to download. It can be uploaded to the IdP if required.
Disable Forms Login
In environments where SAML, smart card, or claims-aware is configured, we recommend enabling the Disable Forms Login authentication option to disallow users from using the standard login form in BeyondInsight.
To disable forms login for existing users, enable this option directly on a user account as follows:
- Click the vertical ellipsis for the user account, and then click Edit User Details.
- Under Authentication Options, toggle Disable Forms Login to enable the option.
Please contact support for assistance if you need to bulk-apply this setting to existing accounts.
To configure login forms to automatically be disabled for newly created users:
- Navigate to Configuration > Authentication Management > Authentication Options.
- Under Forms Login Options, enable one or both options as applicable:
- Disable Forms Login for new directory accounts
- Disable Forms Login for new local accounts