Active Roles can be integrated with Okta to complement and extend identity and access management. For more information about Okta, see https://www.okta.com/.
Okta is a cloud-based identity service offering identity, authentication, and access control functions as a service. To support functions such as Single Sign-on (SSO) and Multi-Factor Authentication (MFA), Active Roles integrates with the Okta identity management service through Federated Authentication. This enables you to leverage an additional out-of-band factor (typically through the user’s registered smartphone) when authenticating the user. The additional factor is processed in-line with the connection, so users do not have to switch to an external application to process the additional factor. This results in a seamless and efficient user experience that is readily accepted by the users. Okta supports a broad range of authentication methods, including software, hardware, and mobile-based solutions.
By enabling this integration with Okta, Active Roles can use your users' Okta accounts to authenticate them when accessing the Active Roles Web Interface. To enable this functionality with Active Roles, you need to configure it using the Federated Authentication login method in the Active Roles Configuration Center. The MFA functionality is an additional configuration that you need to perform in the Okta Admin Console.
From version 7.5.2, Active Roles can be integrated with Okta, a cloud-based identity service offering identity, authentication, and access control functions as a service to complement and extend identity and access management.
To configure the Active Roles application in Okta, follow these steps.
To configure the Active Roles application in Okta
-
Log into the Okta Admin Console.
-
Navigate to Applications > Applications.
-
Click Browse App Catalog.
-
Search for and select Template WS-Fed.
-
Click Add.
-
Enter and set the following:
-
Application label: Enter a label for the Okta application.
-
Web Application URL: Enter the URL for the Active Roles Web Interface, for example, https://localhost/arwebadmin.
-
ReplyTo URL: Enter the same URL that you entered as the Web Application URL value.
-
Name ID Format: Enter Persistent.
-
Audience Restriction: Temporarily enter the same value that you entered as the Web Application URL value. This will be updated.
-
Custom Attribute Statements: Enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email|${user.email}|.
-
Click Done.
-
Click General.
-
Copy the value from Realm.
-
Click Edit.
-
Paste the Realm value as the Audience Restriction value.
-
Click Save.
-
Click Sign On.
-
To open a new tab with information needed to configure WS-Federation in Configuring Okta in the Active Roles Configuration Center, click View Setup Instructions.
NOTE: In Okta, the Active Roles application must be assigned to users so that they can be used for logging in.
From version 7.5.2, Active Roles can be integrated with Okta, a cloud-based identity service offering identity, authentication, and access control functions as a service to complement and extend identity and access management.
To configure Okta in the Active Roles Configuration Center, follow these steps.
To configure Okta in the Active Roles Configuration Center
-
In the Active Roles Configuration Center, navigate to Web Interface > Authentication.
-
In the Site authentication settings window, select the Federated tab.
-
In the Identity provider configuration tab that you opened in Step 14 of Configuring the Active Roles application in Okta, configure the settings of the identity provider.
-
From Identity provider, select Custom.
-
In Okta Setup Instructions, copy the Public Link URL.
-
In the Active Roles Configuration Center, paste it into the Federated metadata URL.
-
To validate the metadata, click Test metadata.
-
To close the prompt about opening the XML file in a web browser, click No.
-
In the Okta Setup Instructions tab that you opened in Step 14 of Configuring the Active Roles application in Okta, copy the Realm (APP ID URL) value.
-
In the Active Roles Configuration Center, paste the Realm (APP ID URL) value as the Realm value.
-
In Reply URL, enter the same value that you entered as the Web Application URL value in Step 6 of Configuring the Active Roles application in Okta.
-
In Claim editor, click Add to open the Add claim window, and enter or select the following.
-
Claim Type: Based on the values of the local AD objects, select UPN or EMAIL.
NOTE: The UPN or the email address of the local AD objects must match the email value of the Okta objects.
-
Claim value: Select http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email.
-
Display name: Enter the display name in user.email format.
-
Description: Enter any description (this is typically the value the user logged in with).
-
Click Save.
-
Click Domain user login credentials.
-
To access the local domain, enter the Username in domain/username format, and the Password.
-
Click Modify.