How to Create SAML Configuration in Okta

MCS from version 1.3.0

Create SAML Configuration Application in Okta

Configuring SAML in Okta establishes the connection between Okta and MCS, allowing secure authentication.

In Okta, you need to create an application that provides MCS with the necessary endpoints and certificates for secure communication. This enables MCS to request user details from Okta for successful authentication.

Okta manages users privately within the organization, unlike public providers like Google. This means users must be authenticated through the organization’s private Okta instance. Without this configuration, MCS cannot identify or authenticate users via Okta.

By setting up SAML in Okta, you ensure that only authorized users within your organization can access MCS. This setup allows IT administrators to control access through Okta’s private identity system, ensuring security and user privacy.

Sign In to Okta

To configure SAML in Okta, you need to sign in:

Go to the Okta website.
Create an account if you don’t have one.
- Follow Okta’s instructions on their website.
Log in to your Okta account.
- Follow Okta’s instructions for signing in.

Steps to Create the SAML Configuration Application in Okta

Sign in to your Okta account.
Navigate to Applications → Applications in the left sidebar.
Click the Create App Integration button.
Select SAML 2.0 and click Next.
Provide an App Name.
Click Next.
Configure the SAML settings in the Configure SAML tab:
- Single Sign-On URL: Enter the MCS Login URL Route prefixed with https://{Your_MCS_IP}/.
  Example:
  https://{Your_MCS_IP}/api/5.0/auth/saml/login/callback

Note:

In the link above, replace {Your_MCS_IP} with the actual IP address of your MCS.

- Audience URI (SP Entity ID): Enter a unique ID. (This must match the Entity ID in MCS).
- Name ID Format: Select Persistent.

Scroll down and click Next.
Fill in the Feedback tab:
- In the App Type field, enable This is an internal app that we have created.
Click Finish.

Create Groups and Users in the SAML Configuration Application

Why Are Groups Important?

Users who need access to MCS must have a role defined in MCS and belong to a corresponding group in Okta (associated with the SAML Configuration Application) with the same name.

When users log in via Okta, MCS does not store their credentials or role information, as the login occurs through Okta. To bridge this, Okta sends the group name to MCS during the login process. MCS matches the group name to a role with the same name, granting the appropriate permissions based on the group-to-role mapping.

Each user must belong to exactly one group in Okta, which corresponds to one role in MCS. Users without a role or assigned to multiple groups will not be able to log in, as their role cannot be resolved.

Steps to Create Groups in Okta

Sign in to your Okta account.
Navigate to Directory → Groups in the left sidebar.
Click Add Group.
Provide a Name and an optional Description for the group.
Refresh the page to view the new group.
Repeat for additional groups if needed.

Note:
For each role you need in MCS, you must create a corresponding group in Okta. Each corresponding group in Okta should be associated with the SAML Configuration Application. In other words, create one group in Okta for every role you plan to use in MCS.

Assign Group Attribute Statements in the SAML Configuration Application

Navigate to Applications → Applications.
Find the SAML Configuration Application you previously created in Okta.
Click the name of your SAML Configuration Application.
Navigate to the General tab in the SAML Configuration Application.
Scroll to the SAML Settings section and click Edit.
In the Edit SAML Integration, in the General Settings tab:
1. Click on the Next button to get to the Configure SAML tab.
2. Scroll down in the SAML Settings to the Group Attribute Statements (optional).
3. Enter group in the Name field. (This must be spelled exactly as "group").
4. Leave Name Format as Unspecified.
5. Choose a filter (e.g., Equals or Starts With) and provide the appropriate value based on your group's name.
6. Enter the name of the group you created in Okta, based on the filter you selected in the previous step.

Example of the Filter field:

If using the Equals filter, type the exact group name.
If using the Starts With filter, type the group name prefix.

Scroll down and click Next.
Fill in the Feedback tab:
- In the App Type field, enable This is an internal app that we have created.
Click Finish.

Assign Users to Groups in Okta

Navigate to Directory → Groups.
Click on a group’s name to open its configuration.
Click Assign People to assign users to the group.
Search for the desired user in the table or use the search bar.
Click on the + (Add) button next to the user’s name.

Assign Groups to the SAML Configuration Application

Navigate to Applications → Applications.
Find the SAML Configuration Application you previously created in Okta.
Click the name of your SAML Configuration Application.
Navigate to the Assignments tab in the SAML Configuration Application.
Click Assign → Assign to Groups.
Assign the relevant groups to the SAML Configuration Application.
Click on Done to save the changes.

Create SAML Configuration in MCS for Okta

In MCS, you must specify the Entity ID, Identity Provider URL, and certificate from the SAML Configuration Application you created in Okta. This ensures that MCS knows where to direct user authentication requests when a user chooses to sign in via SAML instead of MCS's native authentication system.

Steps to Configure SAML in MCS

Sign in to your Okta account.
Navigate to Applications → Applications.
Find the SAML Configuration Application you previously created in Okta.
Click the name of your SAML Configuration Application.
Go to the Sign On tab at the top of the page.
Click the View SAML Setup Instructions button on the right side of the page, located under SAML Setup.
Copy the Identity Provider Single Sign-On URL field for later use.
Copy the X.509 Certificate field for later use. (Use the value between BEGIN CERTIFICATE and END CERTIFICATE).
Log in to MCS.
Click on the menu icon.
- A display of all the available widgets will open.
Navigate to Management → Identity Providers.
Fill in the required fields:
- Entity ID / Issuer: Use the Audience URI (SP Entity ID) field you configured when setting up the SAML Configuration Application in Okta.
- Entrypoint / IDP URL: Paste the Identity Provider Single Sign-On URL field you copied in step 7.
- Certificate: Paste the X.509 Certificate field you copied in step 8.
Click Save to complete the configuration.

Access your SAML Configuration Application as described above.
Go to the General tab at the top of the page.
Scroll to the SAML Settings section.
The Entity ID corresponds to the value of the Audience Restriction.

You and your users can now log in to MCS using Okta via SAML, in addition to the basic login method.

Create a Role in MCS

When creating a group in Okta (associated with the SAML Configuration Application), you must also create a corresponding role with the same name (label) in MCS. Users who require access to MCS must have a role defined in MCS and belong to a group in Okta with the same name.

This setup is crucial because when a user logs into MCS via Okta, MCS does not have access to the user's credentials or role information. Since the login occurs through Okta and not directly through MCS, the user's data is not stored in MCS.

To resolve this, Okta sends the group information to MCS during the login process. MCS then uses the group name sent by Okta to identify the associated role within MCS that has the same name (label) as the group's name. This ensures the user is granted the correct permissions based on their role in MCS, as determined by the group-to-role mapping.

Create one role in MCS for each group you created in Okta and associated with the SAML Configuration Application:

Ensure that the role has the same name (label) as the group.
Refer to the guide How to Create a New Role to create each role.

TAG Video System