Okta Workforce OnPrem (SAML)

This guide will walk you through the steps required to configure Okta Workforce as a Single Sign-On (SSO) provider in On Premise deployment of Observo using SAML 2.0.

Prerequisites

  • An active Okta Workspace account.

  • A running Observo On Premise deployment.

  • Admin access to both Okta and Observo.

Steps to Set Up Okta as a SAML Identity Provider in Observo

1. Create a SAML Application in Okta

You need to create a SAML application in Okta to enable On Premise Observo to authenticate users via SAML.

  1. Log into Okta as an admin.

  2. Go to Applications > Applications in the Okta dashboard.

  3. Click on Create App Integration.

  4. Select SAML 2.0 as the Sign-in method. Click Next.

  5. Fill out the General Settings:

    • App name: Provide a name for the application (e.g., Observo SAML).

    • Click Next.

2. Configure SAML Settings (Initial Setup)

For now, enter temporary values. We'll update these after configuring Keycloak.

  1. In the SAML Settings section:

    • Single sign on URL: https://<ObservoOnPremURL>/observo-auth/realms/master/broker/okta-saml/endpoint

    • Audience URI (SP Entity ID): https://<ObservoOnPremURL>/observo-auth/realms/master

    • Default RelayState: Leave blank

    • Name ID format: EmailAddress

    • Application username: Email

  2. Under Attribute Statements (optional), add:

    • Name: email, Name format: Basic, Value: user.email

    • Name: firstName, Name format: Basic, Value: user.firstName

    • Name: lastName, Name format: Basic, Value: user.lastName

  3. Under Group Attribute Statements (optional, for role mapping):

    • Name: groups, Name format: Basic, Filter: Matches regex .*

  4. Click Next, then select I'm an Okta customer adding an internal app.

  5. Click Finish to create the application.

3. Retrieve SAML Entity Descriptor

Retrieve the SAML entity descriptor URL that will be used in Observo configuration.

  1. In the application you just created, go to the Sign On tab.

  2. In the SAML Setup section, locate the Metadata URL (SAML entity descriptor).

  3. Copy this URL.

4. Configure Observo to Use Okta as a SAML Identity Provider

Now, configure Okta as a SAML Identity Provider in Observo keycloak.

  1. Log into Observo keycloak with Observo Admin users credential. Observo keycloak is hosted in this URL: https://<ObservoOnPremURL>/observo-auth

  2. Select the realm of your Observo deployment to configure Okta SSO. master is the default realm.

  3. In the left-hand menu, click Identity Providers.

  4. From the Add provider dropdown, select SAML v2.0.

  5. Fill in the following details:

    • Alias: okta-saml

    • Display name: (Optional) The name that users will see on the login screen (e.g., "Okta")

    • Import from URL: Paste the SAML entity descriptor URL from step 3.

    • Click Import.

  6. Click Save.

5. Configure Attribute Mappers

Create mappers to import user attributes from Okta into Observo.

  1. Log into keycloak and go to the okta-saml identity provider you just created.

  2. Click on the Mappers tab.

  3. Create the following mappers by clicking Add mapper → Attribute Importer:

Email Mapper:

  • Name: Email

  • Sync Mode Override: Import

  • Attribute Name: email

  • Attribute Name Format: Basic

  • User Attribute Name: email

First Name Mapper:

  • Name: First Name

  • Sync Mode Override: Import

  • Attribute Name: firstName

  • Attribute Name Format: Basic

  • User Attribute Name: firstName

Last Name Mapper:

  • Name: Last Name

  • Sync Mode Override: Import

  • Attribute Name: lastName

  • Attribute Name Format: Basic

  • User Attribute Name: lastName

User Name Mapper:

  • Name: User Name

  • Sync Mode Override: Import

  • Attribute Name: email

  • Attribute Name Format: Basic

  • User Attribute Name: username

  1. Click Save for each mapper.

6. Assign Users to the Application in Okta

Users must be assigned to the Okta application to use SSO.

  1. In Okta, go to Applications > Applications and select your Observo SAML app.

  2. Go to the Assignments tab.

  3. Click Assign and select Assign to People or Assign to Groups.

  4. Assign the appropriate users or groups and click Done.

7. Create SSO Object in Observo

Observo UI needs to know about the domains name for which it will use SSO.

  1. Log in Observo UI and go to Settings > SSO

  2. Configure SSO of type SAML and provide the required details

  3. In the Domain Aliases section, provide email domains that will use SSO.

  4. Next page, Configure Role Mapping (Optional)

    • Default User Role: Default role for those users with no explicit role assigned

    • Field Path: realm_access.roles

    • Role Mapping: Map the roles you created in keycloak with Observo roles.

8. Add Role Mapper (Optional)

For using role mapping with Okta groups, follow these steps:

  1. Go to Realm roles in keycloak and create the roles you want to use.

  2. In the okta-saml identity provider, go to Mappers tab.

  3. Click Add mapper → Advanced Role:

    • Name: Groups Role Mapper

    • Sync Mode Override: Force

    • Mapper type: SAML Attribute to Role

    • Attribute Name: groups

    • Attribute Value: Enter the exact Okta group name you want to map (e.g., Observo-Admins)

    • Role: Select the keycloak realm role to assign. If you don't find the role you created, try using Filter by realm roles.

  4. Repeat this step for each group-to-role mapping you need.

9. Test the Integration

Once the configuration is complete, test the Okta SAML integration.

  1. Access Observo UI.

  2. Select the Okta SSO option on the login page.

  3. Log in with your Okta credentials.

  4. After successful authentication, you should be redirected back to Observo UI and logged in.

By following these steps, you should have Okta Workforce successfully integrated with Observo On Premise deployment using SAML 2.0.

PreviousOkta Workforce KeycloakNextOneLogin

Last updated

Was this helpful?