Versions Compared

Version Old Version 2 New Version Current
Changes made by

Anna Seliverstov

Anna Seliverstov

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

MCS from version 1.3.0

Table of Contents

...

...

Create SAML Configuration Application in Okta

...

  1. Go to the Oktawebsite.

  2. Create an account if you don’t have one.

    • Follow Okta’s instructions on their website.

  3. Log in to your Okta account.

    • Follow Okta’s instructions for signing in.

...

Steps to Create the SAML Configuration Application in Okta

  1. Sign in to your Okta account.

  2. Navigate to Applications → Applications in the left sidebar.

    image-20241217-131335.pngImage Removedimage-20241217-131335.pngImage Added

  3. Click the Create App Integration button.

    image-20241217-131453.png

  4. Select SAML 2.0 and click Next.

    image-20241217-131556.png

  5. Provide an App Name and click .

    edit saml integration.pngImage Added

  6. Click Next.

    edit saml integration.pngImage Removednext in edit saml configuration.pngImage Added

  7. Configure the SAML settings in the Configure SAML tab:

    • Single Sign-On URL: Enter the MCS Login URL Route prefixed with https://{Your_MCS_IP}/.
      Example:

      Code Block
      https://{Your_MCS _IP}/api/5.0/auth/saml/login/callback
Note

Note:

In the link above, replace {Your_MCS_IP} with the actual IP address of your MCS.

  •  

    • Audience URI (SP Entity ID): Enter a unique ID. (This must match the Entity ID in MCS).

    • Name ID Format: Select Persistent.

     

    configure saml.pngImage Modified

  1. Scroll down and click Next.

    next in edit saml configuration.pngImage Added

  2. Fill in the Feedback tab:

    • In the App Type field, enable This is an internal app that we have created.

      image-20241217-133405.pngImage Modified

  3. Click Finish.

    image-20250101-144851.pngImage Added

...

Create Groups and Users in the SAML Configuration Application

Expandnote
title

Why Are Groups Important?

The user's role in MCS is determined by their group in Okta when logging Users who need access to MCS must have a role defined in MCS and belong to a corresponding group in Okta (associated with the SAML Configuration Application) with the same name.

When users log in via Okta, as MCS does not recognize the user directly. store their credentials or role information, as the login occurs through Okta. To bridge this, Okta sends the group name to MCS during the login process. MCS matches the group name to a role with the same name, granting the appropriate permissions based on the group-to-role mapping.

Each user must belong to exactly one group in Okta, which corresponds to exactly one role in MCS. Users without a group role or assigned to multiple groups will not be able to access the systemlog in, as their role cannot be resolved.

Steps to Create Groups in Okta

  1. Sign in to your Okta account.

  2. Navigate to Directory → Groups in the left sidebar.

    image-20241217-151350.png

  3. Click Add Group.

    groups .png

  4. Provide a Name and an optional Description for the group.

  5. Refresh the page to view the new group.

  6. Repeat for additional groups if needed.

Infonote

Note:
One group in Okta corresponds to one role For each role you need in MCS, you must create a corresponding group in Okta. Each corresponding group in Okta should be associated with the SAML Configuration Application. In other words, create one group in Okta for every role you plan to use in MCS.

...

Assign Group Attribute Statements in the SAML Configuration Application

  1. Navigate to Applications → Applications.

    image-20241217-131335.pngImage Removedimage-20241217-131335.pngImage Added

  2. Find the SAML Configuration Application you previously created in Okta.

  3. Click the name of your SAML Configuration Application.

    image-20241217-142742.png

  4. Navigate to the General tab in the SAML Configuration Application.

    image-20241218-124806.png

  5. Scroll to the SAML Settings section and click Edit.

    saml settings edit.png

  6. In the Edit SAML Integration, in the General Settings tab:

    1. Click on the Next button to get to the Configure SAML tab.

      next in edit saml configuration.pngImage Added

    2. Scroll down in the SAML Settings to the Group Attribute Statements (optional).

    3. Enter group in the Name field. (This must be spelled exactly as "group").

    4. Leave Name Format as Unspecified.

    5. Choose a filter (e.g., Equals or Starts With) and provide the appropriate value based on your group's name.

    6. Enter the name of the group you created in Okta, based on the filter you selected in the previous step.

Info

Note:

In the Filter field, it is recommended to select Starts With and then enter the prefix for all the groups you created in Okta for use with MCS.

Note

Note:
In the Group Attribute Statements, you must use the keyword group exactly in the Name field.

...

Example of the Filter field:

  • If using the Equals filter, type the exact group name.

  • If using the Starts With filter, type the group name prefix.

Warning

Note:

You cannot click Add Another to assign multiple groups because, in version 1.3.0, MCS expects only one group attribute statement with the name group, and Okta allows only a single group attribute statement with that name.

If you want to use the Equals filter, you can only configure one group with the group attribute statement named group. To associate multiple groups with MCS for different roles, you must use other filters, such as Starts with, and ensure all your groups have names that share a common prefix.

For example, the following is an invalid configuration:

image-20241218-133547.png

  1. Click Next and finish the configuration.

Note

Important Notes

  • If a user logs in via SAML, the group name in the Identity Provider must match the role name in MCS.

  • Users must belong to a group in Okta to log in to MCS, with the group's name being assigned as their role in MCS.

    • A user cannot belong to more than one group. If a user is assigned to multiple groups, their role cannot be resolved, and they won’t be able to log in.

     

    1. Scroll down and click Next.

      next in edit saml configuration.pngImage Added

    2. Fill in the Feedback tab:

      • In the App Type field, enable This is an internal app that we have created.

        image-20241217-133405.pngImage Added

    3. Click Finish.

      image-20250101-144851.pngImage Added

    ...

    Assign Users to Groups in Okta

    ...

    1. Navigate to Applications → Applications.

      image-20241217-131335.pngImage Removedimage-20241217-131335.pngImage Added

    2. Find the SAML Configuration Application you previously created in Okta.

    3. Click the name of your SAML Configuration Application.

      image-20241217-142742.png

    4. Navigate to the Assignments tab in the SAML Configuration Application.

      Screenshot 2024-12-23 at 16.29.46.png

    5. Click Assign → Assign to Groups.

      assign groups.png

    6. Assign the relevant groups to the SAML Configuration Application.

    7. Click on Done to save the changes.

    ...

    Steps to Configure SAML in MCS

    1. Sign in to your Okta account.

    2. Navigate to Applications → Applications.

      image-20241217-131335.png

    3. Find the SAML Configuration Application you previously created in Okta.

    4. Click the name of your SAML Configuration Application.

      image-20241217-142742.png

    5. Go to the Sign On tab at the top of the page.

      image-20241217-142850.png

    6. Click the View SAML Setup Instructions button on the right side of the page, located under SAML Setup.

      view saml setup instruction.png

    7. Copy the Identity Provider Single Sign-On URL field for later use.

    8. Copy the X.509 Certificate field for later use. (Use the value between BEGIN CERTIFICATE and END CERTIFICATE).

    9. Log in to MCS.

    10. Click on the menu icon.

      menu icon.png

      • A display of all the available widgets will open.

    11. Navigate to Management → Identity Providers.

      Identity Providers.png

    12. Fill in the required fields:

      • Entity ID / Issuer: Use the Audience URI (SP Entity ID) field you configured when setting up the SAML Configuration Application in Okta.

        image-20241217-143733.png

      • Entrypoint / IDP URL: Paste the Identity Provider Single Sign-On URL field you copied in step 7.

        image-20241217-144541.png

      • Certificate: Paste the X.509 Certificate field you copied in step 8.

        image-20241217-145025.png

    13. Click Save to complete the configuration.

    ...

    1. You and your users can now log in to MCS using Okta via SAML, in addition to the basic login method.

      image-20241217-145617.png

    ...

    Create a Role in MCS

    When creating a group in Okta (associated with the SAML Configuration Application), you must also create a corresponding role with the same name (label) in MCS. Users who require access to MCS must have a role defined in MCS and belong to a group in Okta with the same name.

    Expand
    titleWhy is this important?

    This setup is crucial because when a user logs into MCS via Okta, MCS does not have access to the user's credentials or role information. Since the login occurs through Okta and not directly through MCS, the user's data is not stored in MCS.

    To resolve this, Okta sends the group information to MCS during the login process. MCS then uses the group name sent by Okta to identify the associated role within MCS that has the same name (label) as the group's name. This ensures the user is granted the correct permissions based on their role in MCS, as determined by the group-to-role mapping.

    Create one role in MCS for each group you created in Okta and associated with the SAML Configuration Application:

    • Ensure that the role has the same name (label) as the group.

    • Refer to the guide How to Create a New Role to create each role.

    ...

    How to Login via SAML

    How to Create a New Role

    Roles

    Advanced User Management