Unable to render embedded object: File (Dark logo transperant background.png) not found.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Version History

« Previous Version 2 Next »

MCS from version 1.3.0

Table of Contents

Create SAML Configuration Application in Okta

 Why is SAML Configuration Required in Okta?

Configuring SAML in Okta establishes the connection between Okta and MCS, allowing secure authentication.

In Okta, you need to create an application that provides MCS with the necessary endpoints and certificates for secure communication. This enables MCS to request user details from Okta for successful authentication.

Okta manages users privately within the organization, unlike public providers like Google. This means users must be authenticated through the organization’s private Okta instance. Without this configuration, MCS cannot identify or authenticate users via Okta.

By setting up SAML in Okta, you ensure that only authorized users within your organization can access MCS. This setup allows IT administrators to control access through Okta’s private identity system, ensuring security and user privacy.

Sign In to Okta

To configure SAML in Okta, you need to sign in:

  1. Go to the Okta website.

  2. Create an account if you don’t have one. Follow Okta’s instructions on their website.

  3. Log in to your Okta account. Follow Okta’s instructions for signing in.

Steps to Create the SAML Configuration Application in Okta

  1. Sign in to your Okta account.

  2. Navigate to Applications → Applications in the left sidebar.

    image-20241217-131335.png

  3. Click the Create App Integration button.

    image-20241217-131453.png

  4. Select SAML 2.0 and click Next.

    image-20241217-131556.png

  5. Provide an App Name and click Next.

    edit saml integration.png

  6. Configure the SAML settings in the Configure SAML tab:

    • Single Sign-On URL: Enter the MCS Login URL Route prefixed with https://{MCS IP}/.
      Example: 

      https://{MCS IP}/api/5.0/auth/saml/login/callback

    • Audience URI (SP Entity ID): Enter a unique ID. (This must match the Entity ID in MCS).

    • Name ID Format: Select Persistent.

    • configure saml.png

  7. Fill in the Feedback tab:

    • In the App Type field, enable This is an internal app that we have created.

      image-20241217-133405.png

  8. Click Finish.

Create Groups and Users in the SAML Configuration Application

 Why Are Groups Important?

The user's role in MCS is determined by their group in Okta when logging in via Okta, as MCS does not recognize the user directly. Each user must belong to exactly one group in Okta, which corresponds to exactly one role in MCS. Users without a group will not be able to access the system.

Steps to Create Groups in Okta

  1. Sign in to your Okta account.

  2. Navigate to Directory → Groups in the left sidebar.

    image-20241217-151350.png

  3. Click Add Group.

    groups .png

  4. Provide a Name and an optional Description for the group.

  5. Refresh the page to view the new group.

  6. Repeat for additional groups if needed.

Note:
One group in Okta corresponds to one role in MCS.

Assign Group Attribute Statements in the SAML Configuration Application

  1. Navigate to Applications → Applications.

    image-20241217-131335.png

  2. Find the SAML Configuration Application you previously created in Okta.

  3. Click the name of your SAML Configuration Application.

    image-20241217-142742.png

  4. Navigate to the General tab in the SAML Configuration Application.

    image-20241218-124806.png

  5. Scroll to the SAML Settings section and click Edit.

    saml settings edit.png

  6. In the Edit SAML Integration, in the General Settings tab:

    1. Click on the Next button to get to the Configure SAML tab.

    2. Scroll down in the SAML Settings to the Group Attribute Statements (optional).

    3. Enter group in the Name field. (This must be spelled exactly as "group").

    4. Leave Name Format as Unspecified.

    5. Choose a filter (e.g., Equals or Starts With) and provide the appropriate value based on your group's name.

      Group Attribute Statements.png

Example:

  • If using the Equals filter, type the exact group name.

  • If using the Starts With filter, type the group name prefix.

Note:

You cannot click Add Another to assign multiple groups because, in version 1.3.0, MCS expects only one group attribute statement with the name group, and Okta allows only a single group attribute statement with that name.

If you want to use the Equals filter, you can only configure one group with the group attribute statement named group. To associate multiple groups with MCS for different roles, you must use other filters, such as Starts with, and ensure all your groups have names that share a common prefix.

For example, the following is an invalid configuration:

image-20241218-133547.png

  1. Click Next and finish the configuration.

Important Notes

  1. If a user logs in via SAML, the group name in the Identity Provider must match the role name in MCS.

  2. Users must belong to a group in Okta to log in to MCS, with the group's name being assigned as their role in MCS.

  3. A user cannot belong to more than one group. If a user is assigned to multiple groups, their role cannot be resolved, and they won’t be able to log in.

Assign Users to Groups in Okta

  1. Navigate to Directory → Groups.

    image-20241223-141049.png

  2. Click on a group’s name to open its configuration.

  3. Click Assign People to assign users to the group.

    Assign People.png

  4. Search for the desired user in the table or use the search bar.

    image-20241217-153234.png

  5. Click on the + (Add) button next to the user’s name.

    add people.png

Assign Groups to the SAML Configuration Application

  1. Navigate to Applications → Applications.

    image-20241217-131335.png

  2. Find the SAML Configuration Application you previously created in Okta.

  3. Click the name of your SAML Configuration Application.

    image-20241217-142742.png

  4. Navigate to the Assignments tab in the SAML Configuration Application.

    Screenshot 2024-12-23 at 16.29.46.png

  5. Click Assign → Assign to Groups.

    assign groups.png

  6. Assign the relevant groups to the SAML Configuration Application.

  7. Click on Done to save the changes.

Create SAML Configuration in MCS for Okta

 Why Is SAML Configuration Required in MCS?

In MCS, you must specify the Entity ID, Identity Provider URL, and certificate from the SAML Configuration Application you created in Okta. This ensures that MCS knows where to direct user authentication requests when a user chooses to sign in via SAML instead of MCS's native authentication system.

Steps to Configure SAML in MCS

  1. Sign in to your Okta account.

  2. Navigate to Applications → Applications.

    image-20241217-131335.png

  3. Find the SAML Configuration Application you previously created in Okta.

  4. Click the name of your SAML Configuration Application.

    image-20241217-142742.png

  5. Go to the Sign On tab at the top of the page.

    image-20241217-142850.png

  6. Click the View SAML Setup Instructions button on the right side of the page, located under SAML Setup.

    view saml setup instruction.png

  7. Copy the Identity Provider Single Sign-On URL field for later use.

  8. Copy the X.509 Certificate field for later use. (Use the value between BEGIN CERTIFICATE and END CERTIFICATE).

  9. Log in to MCS.

  10. Click on the menu icon.

    menu icon.png

    1. A display of all the available widgets will open.

  11. Navigate to Management → Identity Providers.

    Identity Providers.png

  12. Fill in the required fields:

    • Entity ID / Issuer: Use the Audience URI (SP Entity ID) field you configured when setting up the SAML Configuration Application in Okta.

      image-20241217-143733.png

    • Entrypoint / IDP URL: Paste the Identity Provider Single Sign-On URL field you copied in step 7.

      image-20241217-144541.png

    • Certificate: Paste the X.509 Certificate field you copied in step 8.

      image-20241217-145025.png

  13. Click Save to complete the configuration.

 Where Can I Locate the Audience URI (SP Entity ID) in Okta, Corresponding to the Entity ID / Issuer in MCS?

  1. Access your SAML Configuration Application as described above.

  2. Go to the General tab at the top of the page.

    image-20241217-144222.png

  3. Scroll to the SAML Settings section.

  4. The Entity ID corresponds to the value of the Audience Restriction.

  1. You and your users can now log in to MCS using Okta via SAML, in addition to the basic login method.

    image-20241217-145617.png
  • No labels