Implementing SAML with Okta

  • Updated

INTRODUCTION

One of the SAML identity providers (IdP) you can use is Okta (https://www.okta.com).

In order to get started with setup of SSO with Okta, you will need:

  • Okta account with admin permissions.
  • Admin or super-admin user-role within HUDU.
  • All users are provisioned in Okta with the same exact email address. We don't create new user accounts with SSO.
  • Ensure that the users have already been created in Hudu before starting this process.

GUIDES

HOW TO ENABLE SSO

  1. Login to Hudu and click the Admin tab on the top toolbar. 
  2. Click General.
  3. Click Configure Single Sign-On.
  4. Enter SAML details. See relevant section below on how to fill this information out.
  5. Click "Enable Single Sign-On".
  6. Hit "Update SAML Details" and SAML should now be activated.

Configuring Okta:

  • Inside Okta, as an administrator:
    • Navigate to the Applications screen and add a new application.

Screen_Shot_2020-01-24_at_15.17.14.png

  • Click "Create New App".
  • When the modal pops up, select SAML 2.0, and then click "Create".

Screen_Shot_2020-01-24_at_15.18.34.png

  • On the next screen, give the Application a name.

Screen_Shot_2020-01-24_at_15.19.39.png

  • In Configure SAML, fill in the following fields:
    • Single sign on URL: Enter the url of your Hudu instance followed by /saml/consume
      • Ex. https://docs.mywebsite.com/saml/consume
    • Audience URI: Enter the url of your Hudu instance.
      • Ex. https://docs.mywebsite.com
    • Name ID format: Choose EmailAddress.
    • Application username: Choose Email.

Screen_Shot_2020-01-24_at_16.54.39.png

  • Click "Show Advanced Settings" and fill out the following fields:
  • Click Next.
  • Now, choose:
    1. I'm an Okta customer adding an internal app.
    2. This is an internal app that we have created.Screen_Shot_2020-01-24_at_16.56.43.png
  • Then click Finish
  • On the next screen, click View Setup Instructions.Screen_Shot_2020-01-24_at_17.00.37.png
  • Keep the setup instructions open as you fill out the info in Hudu.

 

Configuring Hudu:

  1. In Hudu, with a user-role of Admin or Super Admin:
    • Navigate to Admin >> General >> SAML/SSO Configure.
  2. Provide Identity Provider (IdP) information:
    • SAML Issuer URL: This is what Okta calls their "Okta Identify Provider Issuer." Copy this exactly into Hudu.
    • SAML Login URL: This is what Okta calls their "Okta Identity Provider Single Sign-On URL." Copy this exactly into Hudu.
    • SAML Logout URL: This will be the same as your Login URL; the "Okta Identity Provider Single Sign-On URL." Copy this exactly into Hudu.
    • SAML Fingerprint:
      • To ensure that you are obtaining the correct fingerprint (thumbprint) for your algorithm:
        • Copy the certificate.
        • Paste the certificate into a tool such as: https://developers.onelogin.com/saml/online-tools/x509-certs/calculate-fingerprint
        • Choose either SHA-1 or SHA-256 as the algorithm.
          • If choosing SHA-256, you will also need to ensure that the 'Use SHA-256' option is checked (in Hudu SAML setup area).
        • Copy either the non-formatted or formatted fingerprints provided and paste into Hudu SAML Fingerprint.
    • SAML Certificate: This is provided by Okta, and should be the same certificate used to configure the fingerprint; copy this exactly.
      • -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- should be included.
      • Paste into the SAML Certificate field. Make sure there is no extra space trailing at the end!
    • SAML ARN: This signifies the Authentication Context that Hudu will provide to the IdP. AuthnContext is the method by which a user tries to login (i.e. via password, passwordless, etc.).
      • If you specify Do not pass RequestedAuthnContext in your request, the URN is used by the IdP to say "I don't want to tell you how I identified the user".
        • Requested Authentication Context may be required for your IdP; but it is typically optional.
        • If you have users that use Passwordless login to your IdP; do not pass RequestedAuthnContext must be selected.
      • If you specify Password in your request, the IDP knows it has to authenticate the user through login/password.
      • If you specify PasswordProtectedTransport in your request, the IDP knows it has to authenticate the user through login/password, protected by SSL/TLS.
  3. Click "Enable Single Sign-On".
  4. Hit "Update SAML Details" and SAML should now be activated.

 

TESTING SAML

Open an incognito window and try and access Hudu. You should be redirected to the login page, where you will see a "Use Single Sign On (SSO)" button. If you are able to successfully login via this button, your SAML is working!

 

DISABLE PASSWORD ACCESS FOR NON-ADMINS

You have the option to disable password logins for non-administrators (users that are not super admins or admins). By clicking "Disable Password Access for non-Admins"; all users below admin will have to exclusively use single sign on to access your Hudu environment. 

Admins will be able to access via an admin sign in page. This will prevent you from being locked out of your account when your Identity Provider is unavailable.

 

 

Still have questions?

Contact us