SAML Integration
Introduction
In Userful Infinity, SAML integration can be done through Okta, which is an Identity and access management application. You need to configure SAML settings in the Okta application before you enable the integration.
SAML Configuration for failover setups
If you have a fail-over setup, you should create SAML configurations separately for your primary and secondary servers.
The connection to SAML requires the hostname of the Infinity platform server. When setting up a configuration on the SAML server for Keycloak, you should enter the Keycloak client or hostname.
A fail-over setup uses different hostnames for primary and secondary servers. Therefore you will have to set up two different configurations for Keycloak on your SAML server.
Configure SAML Settings in Okta
To configure SAML in Okta, you need to specify SAML settings and create a token.
Log in to your Okta admin account.
Navigate to Applications in the left pane.
Click Applications from the drop-down.
Click Create App Integration. A window appears.
Select the SAML 2.0 as the sign-in method and click Next.
Under General Settings, enter the name of your app, upload the logo and click Next.
Under Configure SAML enter the SAML settings details as mentioned below:
Single sign-on URL In the URL format below, add the correct value of server_url_with_port (Example: testnet34:9098) and SAML_Integration_Name.
Note that the same integration name will be used for configuration in the Userful Infinity platform as well.
http://server_url_with_port/auth/realms/userful/broker/SAML_Integration_Name/endpoint (Example URL: http://testnet34:9098/auth/realms/userful/broker/samlTest/endpoint )
Note: The checkbox saying “Use this for Recipient URL and Destination URL” should be enabled.
Audience URI (SP Entity ID)
This is the Service Provider ID. In our case it’s Keycloak and for which, we will add the entity ID.
In the URL below, add the correct value of server_url_with_port (Example: testnet34:9098)
http://server_url_with_port/auth/realms/userful (Example URL: http://testnet34:9098/auth/realms/userful)
Default RelayState: You can leave this blank.
Name ID format: Select EmailAddress.
Application username: Select Email.
Update application username on: Select Create and Update.
Attributes Statements: Although this is stated as optional, it is mandatory for integration with Userful Infinity. Create the three attributes below.
Name | Name format | Value |
---|---|---|
Unspecified | user.email | |
firstName | Unspecified | user.firstName |
lastName | Unspecified | user.lastName |
Group Attribute Statements: This is not required.
Click Preview the SAML Assertion.
Click Next.
In the Feedback section, select I'm an Okta customer adding an internal app.
Click Finish.
Click the Assignments tab.
Click the Assign dropdown. You will see two options– Assign to People and Assign to Groups. These options are to grant the access for SSO login after the configuration is complete in both Okta and Userful Infinity. Select the option you want. A window appears.
Click Assign.
Click Done. The Assignments tab should now display your selection.
Create token
In your Okta account, click Security in the left pane.
Select API.
Click the Tokens tab.
Click Create Token. A window appears.
Add a name for your token and click Create token. A message appears with the token value.
Copy the token value and keep it safe and secure. You can view your token only at this time.
Click Ok, got it or close the small window.
Configure Userful Infinity
In your Userful Infinity account, navigate to Admin Center > User Management.
Click External authentication in the left pane and select SAML integration.
Fill in the details as below:
a. Alias: Enter the SAML_Integration_Name you used while setting up single sign-on url in Okta. The alias name needs to be unique and should not be used for other SAML integrations.
b. Display Name: Add a Display Name. This will be shown in the login page after setup is complete. For example, “SSO Login with Okta”.
c. For the next three fields, Single Logout URL, IDP Entity ID, and Single Sign-on URL you’ll need to navigate to the app you created in Okta.
In Okta, navigate to Applications > Applications from the left pane.
Click on the App Integration you created.
Click the Sign On tab.
Click More details. You will be able to view the logout URL, sign on URL and Issuer (IDP Entity ID).
d. Entity ID (available from version 12.9): This is SP Entity ID. Keycloak being the Service Provider, enter the following data, which we used in the Okta conjugation. (Please note that in below URL, put the correct value of server_url_with_port <Example: testnet34:9098>) http://server_url_with_port/auth/realms/userful (Example URL: http://testnet34:9098/auth/realms/userful)
e. API Key: This is the token you created and copied from Okta. Paste the value here.
Click Finish. Your SAML integration should now be complete.
Last updated