Setting up SAML 2.0 with Okta for Web Client

This topic provides step-by-step instructions on how to set up SAML 2.0 in Web Client with Okta.

SAML Configuration in Okta

1. Create a developer account on the Okta website at https://developer.okta.com/signup/.

2. Click Applications on the menu.

3. Click Create App Integration.

4. Select SAML 2.0.

5. In the App name field, enter SAML 2 Web Client.

6. Click Next.

   

7. In the Single Sign on URL field, enter your Nectari URL + :port followed by /AuthServices/Acs.

8. In the Audience URI (SP Entity ID) field, enter your Nectari URL + :port followed by a Unique Identifier for your domain. The URL and the port should be the same as those entered during the Nectari installation.

9. Click Next.

   

10. Click Finish.

11. Select the Assignments tab.

12. Click Assign.

    

13. Add the Nectari users who will be connecting with SSO.

14. Download the Okta Certificate.

15. Click the Sign On tab and select View Setup Instructions.

    

16. Take note of the Single Sign-On URL and Identity Provider Issuer (Entity ID).

Web Client Configuration

Copying the Okta Certificate

1. Add the Okta certificate into the AppData folder (under inetpub).

2. Open the web.config file.

3. Set the following application settings.

   <add key="ssoMode" value="saml2"/>
   <add key="ssoNameAttribute" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"/>

4. Update the sustainsys.saml2 parameters as follows.

   <sustainsys.saml2 entityId="https://releaser11.nectariqa.com:444/biwebclient" returnUrl="https://releaser11.nectariqa.com:444/" modulePath="/AuthServices">
   	<identityProviders>
   		<add entityId="http://www.okta.com/exk3u462dqPKu2LAk5d7" signOnUrl="https://dev-40198417.okta.com/app/dev-40198417_saml2_1/exk3u462dqPKu2LAk5d7/sso/saml" allowUnsolicitedAuthnResponse="true" binding="HttpRedirect">
   			<signingCertificate fileName="~/App_Data/okta.cert"/>
   		</add>
   	</identityProviders>
   </sustainsys.saml2>
   <system.identityModel.services>
   	<federationConfiguration>
   		<cookieHandler requireSsl="true" name="BIWebClient"/>
   	</federationConfiguration>
   </system.identityModel.services>

5. Restart the Web Client.

Creating Users and Groups in Nectari

• Refer to Users to create your Web Client user by entering the same value for User Name and SAML2 answer's Attribute for user name you defined during the installation of the package.

  Example