This document provides an overview of how to set up Single Sign-On using Okta as your authorization server.
This guide has been tested with version 2020.06.2.
Create an Application in Okta
Follow the instructions given in https://developer.okta.com/standards/SAML/setting_up_a_saml_application_in_okta to set up a SAML application in Okta.
Configure an Okta Application
Follow the below steps to configure an Okta application:
Step 1: UI
Switch the view to Classic UI.
Step 2: Configuration
Click on the application that needs to be configured.
Step 3: General
Click Edit on SAML Settings.
Click Next if there are no modifications.
Configure SAML Settings
Edit the fields under GENERAL as mentioned below.
Single sign on URL: https://outscan.outpost24.com/opi/XMLAPI?ACTION=SAMLRESPONSE
Audience URI (SP Entity ID) is required nowadays, but is not confirmed by Outpost24. The URI same as above can be used if there are no other specifications.
- Enable Use this for Recipient URL and Destination URL.
- Go to ATTRIBUTE STATEMENTS(OPTIONAL): Add a field with name uid that returns the username for OUTSCAN. If the username in the application is stored in a field called userName, add appuser.userName as value.
Preview the SAML Assertion
Click on Preview the SAML Assertion button to view the SAML assertion generated from the information above. Click Next.
Provide the information for Okta Support assistance and click Finish.
Step 4: Sign On (Update Metadata)
- Download the metadata from the link Identity Provider metadata and save to a file.
- Open the metadata file in an editor.
- Add <?xml version='1.0' encoding='UTF-8'?> to the beginning of the file.
- Add attribute xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" to the the tag <md:EntityDescriptor.
- Add attribute validUntil="YYYY-MM-DDTHH:MM:SS" to the tag: <md:EntityDescriptor, change the attribute value to a valid date.
- validUntil requires to be set to at least 14 days ahead of current date.
- Add attribute xmlns:ds="http://www.w3.org/2000/09/xmldsig#" to the the tag <ds:KeyInfo.
- Save the metadata.
Step 5: Assignments
Assign users or groups to the application.
The username must match on both Okta and OUTSCAN/HIAB.
The username cannot be an e-mail address. Use an ordinary username without the @.
The username field in Okta mapped to the OUTSCAN username must not be empty for the Okta users.
Enable the Okta Integration on OUTSCAN
- Log in to OUTSCAN.
- Go to Main Menu > Settings > Integrations > Identity Provider.
- Select the Enabled checkbox.
- Get Metadata from file: Upload the metadata file from Okta by clicking +.
- Click Save and logout.
Test the Integration
- Go to https://outscan.outpost24.com.
- Enter your username.
- Click on Single Sign-On.
- Enter your username and password on the Okta page you have been redirected to.
- Click Sign In.
You will be redirected to OUTSCAN and authenticated.
If you have 2-factor authentication enabled on OUTSCAN, you must provide it before you log in.
© 2021 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.
Outpost24® and OUTSCAN™ are trademarks of Outpost24® in Sweden and other countries.