Universal Policy Administrator Documentation
< All Topics
Print

Configuring SAML authentication with Okta

  1. Install the UPA Gatekeeper and Gateway
  2. Create and configure UPA as an enterprise application in your Okta tenant:
    1. In the Okta console, go to Applications:
      1. Select Create App Integration
      2. Select SAML 2.0 as the authentication type
      3. Enter a name for your application
      4. Click Next
      5. Configure SAML settings as follows:
        1. Enter the Single sign-on URL https://<gatekeeper>/Portal/SSO/SamlACS
        2. Select the Recipient URL and Destination URL check boxes
        3. Enter the Audience URI https://<gatekeeper>
        4. Enter a domain name for UPA, to use with Microsoft Entra ID users and groups, as the Default Relay State. For example, ‘Entra’ or ‘MyDomain’
        5. Enter an email address as the NameIDFormat
        6. Enter your Okta username as the Application Username
        7. Enter the application username in the Create and Update fields
        8. Download the HAPI certificate from the Gatekeeper machine in the location C:\Program Files\Full Armor\UPA\Gatekeeper\nginx\conf\certificate.crt
        9. Go to Advanced Options and upload the HAPI certificate
        10. Select the Allow application to initiate single logout checkbox where the Single Logout URL is https://<gatekeeper>/Portal/SSO/SLO
    2. Assign users and groups in the Okta console:
      1. On your application’s Overview page, select Assign users and groups from the Identity menu or the Getting Started area
      2. Select Add user /group on the Users and groups page
      3. On the Users and groups tab of the Add Assignment page, select one or more Users and Groups check boxes
      4. Click Select
      5. Click Assign
    3. Set up single sign-on:
      1. Configure your application to use SAML authentication:
        1. Download the HAPI SAML metadata:
          1. In the OpenText UPA Owner Portal (https://<gatekeeper>/portal/account), select SSO
          2. Click Get SAML Metadata
          3. Save to a file. For example, C:\UPA\Metadata\GetOktaMetatadata.xml
        2. In the Okta console, browse to your application’s Overview page:
        3. Select Single sign-on
        4. On the Single sign-on page, select SAML
        5. On the SAML- based Sign-on page, select Upload metadata file and upload the HAPI SAML metadata
          1. On the Basic SAML Configuration tab, enter a domain name for UPA under Relay State (Optional), to use with Microsoft Entra ID users and groups. For example, ‘Entra’ or ‘MyDomain’
          2. Enter the Sign on URL (Optional) (https:///Portal/SSO/SamlLogin?provider=) where Provider Name is the name of the SAML provider for UPA, specified in the previous step
          3. In the SAML Certificates area, select Download Federation Metadata XML
          4. Save to a file. For example, C:\UPA\Metadata\OktaSAMLFederationMetatadata.xml
  3. Configure UPA to use SAML authentication:
    1. In the Full Armor UPA Owner Portal, go to the SSO tab
    2. Click Add SAML Provider to launch the SAML Configuration Settings page and complete the following steps:
      1. Enter the Provider Name to match the value in Relay State (Optional) in a previous step
      2. Select the default Tenancy ID
      3. Select the Set as Default Login Provider check box for the UPA web console to use this SAML provider as the default identity provider for logins
      4. (Optional) To login with a non-default SAML provider, go to https://<gatekeeper>/Portal/SSO/SamlLogin?provider=<ProviderName>
      5. In the Name ID Format list, click EmailAddress
      6. In the Signature Algorithm list, click SHA_256
      7. In the Provisioning Mode list, click AutomaticProvisioning
      8. Click Save
  4. Set up SCIM provisioning:
    1. In the Full Armor UPA Owner Portal, go to the SSO tab
      1. On the Manage Authentication page, click Edit for the given SAML provider
      2. On the SAML Configuration Settings page, click Configure Provisioning
      3. On the Provisioning Settings page, click Get SCIM Token
    2. In the Okta console, go to the UPA application
      1. Select the Enable SCIM Provisioning checkbox
      2. On the Provisioning /Integration tab, complete following provisioning actions:
        1. Enter the SCIM Connector Base URL: https://<gatekeeper>/api/scim in the given format
        2. Enter the username Unique Identifier field for Users
        3. Choose Push New Users
        4. Choose Push Profile Updates
        5. Choose Push Groups
        6. In the Authentication Mode list, click HTTP Header
        7. Enter the the SCIM token from a previous step
      3. Browse to Provisioning > To App > Attribute Mappings and remove the following mappings:
        1. Manager
        2. ValueEmployee
        3. Number
        4. Cost Center
        5. Organization
        6. Division
        7. Department
        8. Manager
        9. Display Name
      4. Click Save Changes
      5. Click Force Sync
    3. Assign a UPA Global Administrator role:
      1. On the UPA Owner Portal, click the SSO tab when provisioning is complete
      2. Select the List Users button for the given SAML provider
        1. Confirm that the users/ groups are imported correctly
      3. Select the user to grant global administrator permissions
      4. Click Set User as Global Admin
In This Article