search
Get Demo

How to Configure SAML on Okta

This document explains the steps of integrating the Okta identity provider with the platform over SAML to log in to the platform by using your Okta account.

hashtag
Okta Settings

Please follow the steps below to set up SAML settings correctly on the Okta side.

  • Log in to Okta with a privileged account that can create applications.

  • Go to the Applications > Applications menu from the main dashboard.

  • Click on Create App Integration, select SAML 2.0, and then click the Next button.

  • Enter the App Name and click Next.

  • Enter the following information and click Next.

  • Select the App Type as Internal App and click Finish.

  • Click the View SAML setup instructions button on the right side of the opened page.

  • Copy the following information to your notepad and download the certificate.

    • Identity Provider Single Sign-On URL:

    • Identity Provider Issuer:

    • X.509 Certificate:

  • Please go to your Application settings and then the Assignments menu. Add the users here who will log in to the Keepnet platform over SAML.

That's it for Okta settings. Now, we need to do the rest of the SAML settings on the Keepnet platform.

hashtag
Platform Settings

Log in to the platform with the privileged user who can access the SAML settings, and then follow up on the document here to fill out the required fields.

  • Log in to the platform with a privileged user who can access SAML settings.

  • From the left menu, under Company heading, click on Company Settings > SAML Settings.

  • Click on the “Create your first SAML configuration” button in the middle of the page.

  • Then, fill in the following details when the "New SAML Configuration" field is opened.

    • SAML Name: Enter a name for the SAML setting.

    • Allowed Domains: Enter the domain name that the admin will be using to log in to the platform. The platform will recognize the user with the domain and redirect to the SSO authentication.

    • Issuer URL of the IdP: Enter the "Identity Provider Issuer" address that you noted from the Okta SAML instructions page.

    • IdP SSO URL: Enter the "Identity Provider Single Sign-On URL" address that you noted from the Okta SAML instructions page.

    • Upload Certificate: Upload the Okta SAML certificate.

    • Default Role: Assing a default role to the users who will log in to the platform. If this option is not enabled, the user must have the ‘spRole’ attribute configured in the Okta with the correct system role name to log in to the platform.

hashtag
How to Test SAML Configuration

Check whether the configuration works or not by following the steps below.

  • Make sure the system admin who will log in to the platform over SAML is created in the platform under the Company > System Users page.

  • Go to the platform login page.

  • Enter the email address. The email domain must be the one that is defined in the SAML settings.

  • The platform will redirect you to the Okta SSO page to authenticate.

You have now successfully logged in to the platform.

hashtag
How to Assign Custom System User Roles on Okta over SAML

This section explains how to pass a role value from Okta to Keepnet Platform using a SAML attribute, so specific system users can sign in with custom roles, while everyone else keeps the default role. arrow-up-right

hashtag
Okta Settings

Follow the steps below to add a role attribute to Okta users, then send it to Keepnet in the SAML assertion.

hashtag
1) Create a custom user attribute in Okta

  1. Log in to the Okta Admin Dashboard.

  2. Go to Directory, then Profile Editor.

  3. Open the User default profile, identify where you want the attribute, and click Add Attribute.

  4. Fill in the attribute details:

    1. Data Type: String

    2. Display name: Keepnet Role

    3. Variable name: KeepnetRoleName

    4. Optional, if you want a dropdown: define enum values that match the role names in Keepnet Platform exactly.

  5. Click Save.

circle-info

The value you set for a user must match the Keepnet role name exactly, for example Basic Role, Training Role.

hashtag
2) Add the role attribute to the Keepnet SAML application

  1. Go to Applications, then Applications.

  2. Open the SAML application you created for Keepnet Platform.

  3. Go to General, click Edit in the SAML Settings section.

  4. In the Configure SAML step, find Attribute Statements.

  5. Add an attribute statement:

    1. Name: spRole

    2. Value: user.keepnetRole

    3. Click Next, then Finish.

circle-exclamation

If you used a different variable name than KeepnetRoleName, use that in the Value field, for example user.yourAttributeName.

hashtag
3) Set role values for specific users in Okta

  1. Find the Okta user profile for each user.

  2. Set Keepnet Role, meaning KeepnetRoleName, to the target Keepnet role name.

hashtag
Platform Settings

  1. Log in to Keepnet Platform with a privileged user who can access SAML settings.

  2. Go to Company, then Company Settings, then SAML Settings.

  3. Set Default Role to Company Admin, so admins without spRole still get the usual role.

  4. Make sure the system users exist under Company, then System Users, using the same emails they will use through SSO.

Keepnet behaviour to rely on:

  1. System Users without spRole use the Default Role when authenticated over SAML.

  2. To log in without a default role, the user must have spRole configured with the correct custom role name.

  3. You can use custom roles as long as the role name you send matches the custom role name in the platform. arrow-up-right

PreviousHow to Configure SAML on CyberArkNextSCIM Settings

Last updated