Step-by-step instructions to set up a SAML authentication for your Sponsors with Cloudi-Fi and Okta.
Use case
The following sections will provide step-by-step instructions to SAML authentication for your Sponsor with Cloudi-Fi and Okta.
Prerequisites
SAML URLs
Navigate to the Cloudi-Fi Admin user interface (UI)
Go to Configuration > Auth modes > Sponsor
Collect the necessary information
Linkback URL
https://portal.cloudi-fi.net/auth/module.php/saml/sp/saml2-acs.php/sp-sponsor/***************** is your Cloudi-fi public key (Go to your Cloudi-fi Admin interface > Settings > Company Account)
Cloudi-Fi Entity ID
https://portal.cloudi-fi.net/
1. Create your Okta SAML application
Go to your Okta portal and switch to "Classic UI" mode.
Go to the Application section, and add a new application.
Click on Create a new Application Integration.
Then, select SAML 2.0
In the General Settings page, define your App name (for instance : Cloudi-Fi Guest SAML) and click on Next
In Configure SAML page
-
Linkback URL :
https://portal.cloudi-fi.net/auth/module.php/saml/sp/saml2-acs.php/sp-sponsor/<company_key>To find your <company_key> , go to the Cloudi-fi Admin interface > Settings > Company Account.
-
Cloudi-Fi Entity ID :
https://portal.cloudi-fi.net/
- Name ID format : EmailAddress
- Application username : Email
- Update application username on : Create and update
-
Attribute Statement
- Name : mail
- Value : user.email
In Feedback page, click on Finish
Once the Cloudi-Fi application is created on Okta, click View SAML Setup Instructions to retrieve technical information to be configured on the Cloudi-Fi portal.
Here are needed information :
Identity Provider Single Sign-On URL
Identity Provider Issuer
X.509 Certificate
2. Cloudi-Fi configuration
To start step 2, make ensure you have all of these information
|
Attributes_name (in Okta) |
Attributes_name (in Cloudi-Fi) |
Details |
| Single sign-on URL | Linkback URL | |
| SP Entity ID | Cloudi-Fi Entity ID | |
| Identity Provider Issuer | IdP EntityID | |
| Identity Provider Signle Sign-On URL | IdP Endpoint | |
| X.509 Certificate | IDP Signing Certificate (X509 (Base64) | |
| Attribute Statements / Name | Email_address Claims | |
Navigate to the Cloudi-Fi Admin user interface (UI)
Access Configuration > Auth modes > Sponsor
Enter the required values into the respective fields
Fill out the form as described below with details previously retrieved on Okta:
- IdP EntityId : Identity Provider Issuer
- Binding Method : POST
- IdP Endpoint : Identity Provider Single Sign-On URL
- Logout Binding Method : POST
- IdP Signing Certificate : X.509 Certificate without "Begin Certificate" and "End certificate" markers
- Email attribute name : mail
Finally, click on Save
Troubleshooting
Okta error message
A Sponsor_administrator access to the application and he is redirected to Okta authentication Page. He fills out his (email_address, password) and Sign-in. Then he is redirected to an Okta Error Page.
Please replay the process and perform a HTTP capture (Perform a Web Request capture in the web browser) and open a ticket to Cloudi-Fi support with the capture attached (see How to contact your support?)
What's Next ?
Congratulations on enabling SAML authentication with Okta for your Sponsor_administrators.
If you have any issues or need more help, please refer to our support documentation or contact our support team.