Last Updated: 2025-04-10
Purpose
This document provides instructions to set up and configure Okta Identity provider (IdP) for OUTSCAN or HIAB using Security Assertion Markup Language (SAML) protocol.
Introduction
Okta is a Identity and Access Management (IAM) solution that add authentication service to applications across a wide variety of platforms using Single Sign-On (SSO) authentication scheme. Okta allows connections to any application and define how users sign in. When a user tries to authenticate, Okta verifies their identity and send the required information back to the application from which the login was initiated (Application initiated authentication).
Okta Configuration
This section describes the steps to configure Okta (IdP) by creating an application in order to integrate with OUTSCAN or HIAB solution.
Create an application
To create an application:
-
Login to Okta portal with administrative privileges and then navigate to Applications/Applications in the left menu as shown below:
-
Then click the Create App Integration button that will open a window to create a SAML application integration.
-
Select SAML 2.0 and then click the Next button. This open a new window to create the application.
-
Name the application and provide a logo and click on the Next button.
-
Once the general settings are entered, continue to the SAML configuration step where you need to add OUTSCAN or HIAB URL. Adjust both Single sign on URL and Audience URI (SP Entity ID) by replacing <OUTSCAN/HIAB_FQDN_OR_IP> with the FQDN or IP address of your OUTSCAN or HIAB setup in the following text:
-
Single sign on URL
|
SAML Settings |
|---|
|
|
-
Audience URI (SP Entity ID)
|
SAML Settings |
|---|
|
|
The <customeruuid> must be replaced by the uuid value that matches your account. You can find the customeruuid value in the SP metadata XML file that you downloaded from Outpost 24 OUTSCAN/HIAB by clicking on the SP Metadata button in Identity Provider integration window. The XML file contains several URLs with 'UUID=' pattern, just take the value from here. For instance a valid customer uuid is like this 1c428568-91ff-4c40-8537-d0d523b22ed3.
-
Your configuration should then look as follow:
-
To allow the OUSTCAN or HIAB application to properly identify the Identity during the authentication phase, you need to declare the same attribute in both OUTSCAN or HIAB and the identity Provider (IdP). In Okta, this can be done by adding an attribute as shown below.
Attribute Name considerations
The uid is a reserved name in Outpost24 software to truncate the USERNAME to the part below the @ sign, meaning that if you want to use email address as USERNAME, you can not use uid as attribute name, but you can use any other string (such as emailAddress).
-
Once done, you can preview the SAML assertion and then click the Next button.
-
After answering Okta Support question, click the Finish button to create the application.
-
Once you have created the OUTSCAN or HIAB application on Okta Identity Provider, you need to assign users or groups to this application. In our example below we are using a group that makes management easier.
Open the Assignments tab and click on the Assign button.
-
Select Assign to Groups to start assigning groups to the application.
-
Choose a group to assign and click on the blue Assign text.
-
When the users or groups has been assigned to the application, click the blue Done button.
-
Your assignment is now populated.
OUTSCAN or HIAB Configuration
To configure OUTSCAN/HIAB to use OneLogin as identity provider, you need to achieve the following steps:
-
Retrieving the metadata file describing the identity provider
-
Adjust the metadata file (if needed)
-
Uploading the metadata file in OUTSCAN/HIAB
Retrieve Identity Provider Metadata file
To retrieve the IdP metadata file, you need to open the Sign On tabulation of your application.
Then scroll down to the SAML Signing Certificates section and then click on the Actions button menu to View the IdP metadata.
This opens a new page in your browser that you can save on your computer and reuse later while configure the IdP in OUTSCAN or HIAB software.
Adjust Identity Provider Metadata File
To integrate an Identity Provider (IdP) in OUTSCAN or HIAB, you have to upload the SAML Metadata file describing the IdP. This file must comply to the SAML standard.
Upload the SAML Metadata File
Open the SAML Metadata file retrieved from the Identity Provider (IdP) and make sure that:
-
The file contains the XML tag: <?xml version='1.0' encoding='UTF-8'?>
XML tag consideration
If the XML tag is not present, just add the following tag <?xml version='1.0' encoding='UTF-8'?> at the beginning of the file.
-
The EntityDescriptor section contains validUntil attribute
validUntil attribute consideration
If this attribute is not present, just add it using the following format: validUntil="YYYY-MM-DDTHH:MM:SS"
A valid SAML Metadata file should looks like the following
SAML Metadata file consideration
Uploading the file in its current state will result in an error.
Setting Up Identity Provider
Configure Identity Provider (IdP) SSO in Outpost24 by importing IdP metadata, mapping subject attributes, and enabling federated login via SAML.
When setting up a SSO for a sub-user, the UID must be the same as the e-mail address.
Test the Integration
SP initiated SSO, for example from Outpost24
-
Go to https://outscan.outpost24.com. (or alternatively go to your HIAB
https://<hiab-ip-address>if you integrate Okat with HIAB) -
Enter your username.
-
Click on Single Sign-On.
-
Enter your username and password on the Okta page you have been redirected to.
-
Click Sign In.
-
You will be redirected to OUTSCAN and authenticated.
If you have 2-factor authentication enabled on OUTSCAN, you must provide it before you log in.
IdP initiated SSO, for example from Okta
-
Login to okta
<YourDomain>.okta.com. -
Click on <Outscan/Hiab> to be redirected to Outpost24 OUTSCAN/HIAB
-
You are redirected to either NetSec or Portal UI depending on the settings you set in NetSec UI Identity provider integration window.
Reference
Okta SAML concepts overview: https://developer.okta.com/docs/concepts/saml/
Okta SAML integration: https://developer.okta.com/docs/guides/build-sso-integration/saml2/main/
Related Articles
- Windows 10/Windows 2019 Server
- HIAB Updates
- General Information about SMB/WinRM Scanning
- Change Risk Levels
- Removing an Agent from Windows
- ServiceNow - Legacy
- Windows 8.1
- Netsec Filters
- Discovering the Agent in OUTSCAN
- Technical Specification
- Account Settings
- How to Test SMB Authentication
- Windows 2016 Server
- Identity Provider Settings
- HIAB Server Settings
- Installing a Linux Agent
- Okta Identity Provider Configuration
- Scanning-Less Scanning
- Check Connectivity to Agent Server
- Scan Scheduling Errors
- Overview
- Event Notification Module
- HIAB Maintenance Settings
- HIAB Deployment Guide
- Database Connector (HIAB only)
- Azure AD Identity Provider Configuration
- Add Comments
- Target Groups
- Checking if Agent is Running
- Core Installation
- Windows 2008 R2 Server
- Agent Installation Introduction
- Automatic Asset Joining With Netsec
- Manage Users
- Firewall Setup for Agents
- Scanning Range
- SNMP (HIAB only)
- ADFS Identity Provider Configuration
- Splunk
- Agent Call Home
- Advanced Report Filters
- Accept Risks
- SMB Authentication from OUTSCAN/HIAB
- Virtual HIAB Appliance
- Using the Agent Info Command
- Amazon
- User Roles
- Removing an Agent from Linux
- Retrieving the Agent UUID
- Atlassian Jira
- Understanding Scanner and Scheduler
- Finding the Agent Version
- Create and Edit Event Notifications
- Installing a macOS Agent
- Syslog (HIAB only)
- Setting Up an Agent Using System Proxy
- ServiceNow - App
- Thycotic
- DNS Lookup in UI and in Console
- HIAB Console
- Auditing Guide
- Adding Agent Attributes
- HIAB Distribution Settings
- Run Verification Scans
- Agent Latest Version
- Finding New Agents In OUTSCAN
- Setting up a HIAB as an Appsec Scale Scanner
- Checking Schedules from OUTSCAN in Agent
- Hardening the HIAB
- Performing a PCI DSS Scan
- Two Factor Authentication
- Attributes
- Firewall Rules
- HIAB Enrollment
- Supported Platforms for Authenticated SSH Scanning
- Authenticated Scanning Using WinRM
- OneLogin Identity Provider Configuration
- Windows 7
- HIAB Remote Support
- Compliance Scanning
- Manage Targets
- Assign Tasks
- Authenticated Scanning Using SSH
- Tickets Quick Start Guide
- Retrieving Results From the Agent in OUTSCAN
- Appliance Logs
- Converting Normal with Webapp Scans (Netsec) to Portal Workflows
- Updating the Agent
- Troubleshooting SMB Authentication
- Agent Licensing
- Mark as False Positives
- Installing a Windows Agent
- Using Farsight in Netsec
- Testing Target System for Open TCP Ports
- HIAB Restore
- Scan Stages
- Request Clarifications
- HIAB Setup Guide
- Updating Agent Attributes
- CyberArk
- LDAP/AD
- Checking if the Agent has Produced Results
- ArcSight (HIAB only)
- HIAB E-mail Whitelisting
- Adjust Identity Provider SAML Metadata File
- Scanning Critical Industrial Devices/Machines
- Reporting Tools
- Scan Scheduling
- Scanning Performance and Impact Tuning
- PCI Compliance Scanning
- Configuring and Accessing the HIAB console using SSH
- User Groups
- Create Users
- HIAB Remote SSH Guide
- Download Agents
- Create Targets
- Windows 2012 R2 Server
- HIAB Backup
- Report Scheduling
- Access Tokens
- O24AUTH
- Complementary Authenticated Scan on Default Credentials
- Authenticated Scanning Using SMB
- Dynamic Target Group