Okta SAML

Overview

Bold Penguin supports a wide variety of SAML 2.0 and OAuth 2.0 identity providers for SSO into the Bold Penguin Terminal.

This is specific documentation for creating a SAML 2.0 SSO link between Okta Single Sign-On and the Terminal. Additional information regarding Okta Single Sign-On is available at the end of this document.

In this document you will:

• Create the Okta applications necessary for the connection
• Configure the required SSO (Single Sign On) link for authentication
• Configure user attributes
• Map roles to users to connect your environment to Bold Penguin

Create Applications

You will create two new applications in the Okta Admin Console for the Bold Penguin beta and production environments.

1. Navigate to the Admin Console in your Okta org by clicking Admin in the upper-right corner

   

   • NOTE: If you are in the Developer Console, click <>> Developer Console in the upper-left corner and then click Classic UI to switch over to the Admin Console in your Okta org.

2. In the Admin Console, go to Applications > Applications

3. Click Add Application

4. Click Create New App to start the Application Integration Wizard

5. To create a SAML integration, select Web as the Platform and SAML 2.0 for the Sign on method

   

6. Click Create

7. Enter a name for your integration and add any other details you need for your dashboard.

   

8. Click Next to switch to the Configure SAML tab

   

   • NOTE: If you are configuring Okta to support both Partner Portal and Terminal you need to select Allow this app to request other SSO urls in the Configure SAML tab and add the SSO URL as shown below in step 9. This must be done for each environment.

9. Use the table below to set the appropriate values for Single sign on URL and Audience URI (SP Entity ID) for each environment

   Production

   • Single sign on URL

     https://boldpenguin-auth.boldpenguin.com/users/auth/saml/callback

   • Audience URI

     https://boldpenguin-auth.boldpenguin.com

   Beta

   • Single sign on URL

     https://boldpenguin-auth-uat.beta.boldpenguin.com/users/auth/saml/callback

   • Audience URI

     https://boldpenguin-auth.boldpenguin.com

10. Leave Default RelayState blank

11. Set the Application username to a unique field like email or Okta username

12. Your claim needs the following minimum set of attributes:

URI Reference	Value
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname	user.firstName
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname	user.lastName
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress	toLowerCase(user.email)

13. The group attribute statement maps to the appropriate Okta attribute to pass the Bold Penguin defined role as part of the claim. For instance:

URI Reference	Filter
http://schemas.microsoft.com/ws/2008/06/identity/claims/role	Starts with BoldPenguin

14. Click Next and then Finish to complete configuration for this application

15. From the main settings page for your new integration click the Sign On button

16. In the SIGN ON METHODS section, locate the Identity Provider metadata link right above the CREDENTIALS DETAILS section

    

17. Right-click the Identity Provider metadata link and select Copy Link Address

18. Email the metadata URL from step 16 to your Bold Penguin Project Manager

19. After completing the beta application, repeat these steps for production

Assign Users and Roles

Add the appropriate users and groups to the beta and production applications. You must also assign the User role (or other predefined roles) to one or more Okta users. These roles and permissions will be defined by you and your Project Manager based on our role recommendations.

To assign your integration to users in your org:

1. Click the Assignments tab.
2. Click Assign and then select either Assign to People or Assign to Groups.
3. Enter the appropriate people or groups that you want to have Single Sign-On into your application, and then click Assign for each.
4. For any people that you add, verify the user-specific attributes, and then select Save and Go Back.
5. Click Done.

Testing

Your Project Manager will confirm receipt of the metadata URLs from your applications above. Once we add these to your tenant, you should be able to login to the Bold Penguin Enterprise Terminal using the dashboard URL for your domain:

https://[domain].boldpenguin.com/dashboard

NOTE: Replace [domain] with your unique domain provided during on-boarding.

When your users first authenticate into Okta, Bold Penguin receives the roles you mapped above in our authentication layer.

Next, you will work with your project manager to add the appropriate permissions for each role or group.

Useful Okta resources

• What is SAML: https://developer.okta.com/docs/concepts/saml/

• Creating SAML integrations: https://developer.okta.com/docs/guides/build-sso-integration/saml2/create-your-app/

• Testing SAML integrations: https://developer.okta.com/docs/guides/build-sso-integration/saml2/test-your-app/