Okta SAML
Overview
Bold Penguin supports a wide variety of SAML 2.0 and OAuth 2.0 identity providers for SSO into the Bold Penguin Terminal.
This is specific documentation for creating a SAML 2.0 SSO link between Okta Single Sign-On and the Terminal. Additional information regarding Okta Single Sign-On is available at the end of this document.
In this document you will:
- Create the Okta applications necessary for the connection
- Configure the required SSO (Single Sign On) link for authentication
- Configure user attributes
- Map roles to users to connect your environment to Bold Penguin
Create Applications
You will create two new applications in the Okta Admin Console for the Bold Penguin beta and production environments.
Navigate to the Admin Console in your Okta org by clicking Admin in the upper-right corner
- NOTE: If you are in the Developer Console, click
<>> Developer Console
in the upper-left corner and then clickClassic UI
to switch over to the Admin Console in your Okta org.
- NOTE: If you are in the Developer Console, click
In the Admin Console, go to Applications > Applications
Click Add Application
Click Create New App to start the Application Integration Wizard
To create a SAML integration, select Web as the Platform and SAML 2.0 for the Sign on method
Click Create
Enter a name for your integration and add any other details you need for your dashboard.
Click Next to switch to the Configure SAML tab
- NOTE: If you are configuring Okta to support both Partner Portal and Terminal you need to select
Allow this app to request other SSO urls
in the Configure SAML tab and add the SSO URL as shown below in step 9. This must be done for each environment.
- NOTE: If you are configuring Okta to support both Partner Portal and Terminal you need to select
Use the table below to set the appropriate values for Single sign on URL and Audience URI (SP Entity ID) for each environment
Production
Single sign on URL
https://boldpenguin-auth.boldpenguin.com/users/auth/saml/callback
Audience URI
https://boldpenguin-auth.boldpenguin.com
Beta
Single sign on URL
https://boldpenguin-auth-uat.beta.boldpenguin.com/users/auth/saml/callback
Audience URI
https://boldpenguin-auth.boldpenguin.com
Leave Default RelayState blank
Set the Application username to a unique field like email or Okta username
Your claim needs the following minimum set of attributes:
URI Reference | Value |
---|---|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname | user.firstName |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname | user.lastName |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress | toLowerCase(user.email) |
- The group attribute statement maps to the appropriate Okta attribute to pass the Bold Penguin defined role as part of the claim. For instance:
URI Reference | Filter |
---|---|
http://schemas.microsoft.com/ws/2008/06/identity/claims/role | Starts with BoldPenguin |
Click Next and then Finish to complete configuration for this application
From the main settings page for your new integration click the Sign On button
In the SIGN ON METHODS section, locate the Identity Provider metadata link right above the CREDENTIALS DETAILS section
Right-click the Identity Provider metadata link and select Copy Link Address
Email the metadata URL from step 16 to your Bold Penguin Project Manager
After completing the beta application, repeat these steps for production
Assign Users and Roles
Add the appropriate users and groups to the beta and production applications. You must also assign the User role (or other predefined roles) to one or more Okta users. These roles and permissions will be defined by you and your Project Manager based on our role recommendations.
To assign your integration to users in your org:
- Click the Assignments tab.
- Click Assign and then select either Assign to People or Assign to Groups.
- Enter the appropriate people or groups that you want to have Single Sign-On into your application, and then click Assign for each.
- For any people that you add, verify the user-specific attributes, and then select Save and Go Back.
- Click Done.
Testing
Your Project Manager will confirm receipt of the metadata URLs from your applications above. Once we add these to your tenant, you should be able to login to the Bold Penguin Enterprise Terminal using the dashboard URL for your domain:
https://[domain].boldpenguin.com/dashboard
NOTE: Replace [domain] with your unique domain provided during on-boarding.
When your users first authenticate into Okta, Bold Penguin receives the roles you mapped above in our authentication layer.
Next, you will work with your project manager to add the appropriate permissions for each role or group.
Useful Okta resources
What is SAML: https://developer.okta.com/docs/concepts/saml/
Creating SAML integrations: https://developer.okta.com/docs/guides/build-sso-integration/saml2/create-your-app/
Testing SAML integrations: https://developer.okta.com/docs/guides/build-sso-integration/saml2/test-your-app/