Openprise supports Single Sign-On (SSO) using SAML 2.0. This allows most enterprise grade SSO applications such as Okta, OneLogin, Oracle Access Manager, or Ping Federation to integrate and sign onto the Openprise platform. The following configuration sample uses Okta for the SSO integration.
Sample integration with Okta
Each Openprise tenant's system administrators can configure SSO from the navigation menu under Administration > Security Settings > SSO Integration. This page will be referred to as the "Openprise SSO Integration page" throughout this sample integration.
In the SSO Integration screen, the left-hand side are all the Openprise details that we will need to configure integration to Okta. With the screen open, open the Okta administration dashboard and use the "Add application" link to start adding Openprise as a SSO service provider.
Use the "Create New App" button to begin the process.
Choose "Web" for the platform type and "SAML 2.0" as the sign-on method then click on "Create".
Enter an App name such as "Openprise Platform" in the General Settings page then click on "Next".
In the Configure SAML tab, copy the "Assertion consumer service URL" from the Openprise SSO Integration page and paste the value into the "Single sign on URL" field. Similarly, copy the "Entity ID" from the Openprise SSO Integration page and paste its value into the "Audience URI (SP Entity ID)" field.
If you would like to enable Single Logout with Openprise, then click on "Show Advanced Settings" and check the "Enable Single Logout" checkbox. Also, copy the "Single logout URL" from the Openprise SSO Integration page and paste its value into the "Single Logout URL" field.
If you are enabling the Single Logout functionality, you must also provide the Signature Certificate. This should come from your organization's SSO administrator. In the sample, we are using the "Okta certificate" which can be downloaded from the same Okta configuration page.
Next, under the "Attribute Statements (Optional)" section, configure these 3 attribute statements with their corresponding values. Note that your values may differ from this sample depending on your organization's user configuration within Okta. After adding those 3 attribute statements, click on "Next".
In the "Feedback" section, simply select "I'm an Okta customer adding an internal app" and click on "Finish".
In the next page, click on the "View Setup Instructions" button. This concludes the Okta part of the SSO integration and this next Okta page provides the integration details necessary to configure Openprise to work with Okta. This page will be referred to as the "Okta SSO integration page".
This is our sample Okta SSO integration page.
Now, copy the value of "Identity Provider Single Sign-On URL" from the Okta SSO integration page and paste its value into the "Single Sign-On URL" field in the Openprise SSO integration page. Similarly, do the same with the value of "Identity Provider Issuer" from Okta and the "Issuer" field in Openprise.
Then copy the value of "X.509 Certificate" from Okta and paste it into the "X.509 Certificate" field in Openprise. Note to include the begin and end markers as well.
Click on "Save" in the Openprise SSO integration page. Openprise will validate the SSO integration during the save.
After saving is successful, if you are enabling Single logout, then you have the opportunity to enter the "Single logout URL" in Openprise by copying the value from "Identity Provider Single Logout URL" in Okta. Click on "Save" again afterwards to save the single logout details.
After saving all the configurations, you have to enable the SSO integration. Click on the "Disabled" toggle button to "Enable" the integration. Please note that once enabled, all user logins will have to go through Okta.
The only exception is for System Administrators, who can also login from the "Backdoor login URL". This is to ensure that there is still a way to administer Openprise when SSO integration fails or SSO integration details change. This "Backdoor login URL" is noted in the Openprise SSO integration page under "Service Provider Details". It is recommended that all Openprise System Administrators that enable SSO integration for their tenant save and bookmark this URL. If SSO integration should fail, System Administrators can use their Openprise username / password to get back into Openprise and fix the SSO integration details or disable SSO integration.
Tips: Integration with OneLogin
In general, configuration with OneLogin is similar to Okta's configuration, but some terminology and requirements are different. Here are some specific OneLogin configurations that are required for SAML SSO to work with Openprise.
- In OneLogin's app configuration, make sure the "Recipient" field is configured to the Openprise "Assertion consumer service URL".
- In OneLogin's app configuration, make sure the "SAML signature element" is configured to "Both" as Openprise requires both the assertion and response to be signed.
- In OneLogin's app configuration, make sure that "Encrypt assertion" is unchecked.
- In OneLogin's app parameters, make sure a custom field named "email" is configured against the value "Email", "firstName" is configured against value "First Name" and "lastName" is configured against value "Last Name".
- In OneLogin's app SSO, make sure "SAML Signature Algorithm" is configured to "SHA-256".