Okta
To configure Okta as an SSO identity provider, click
the button Configure New SSO in the Single-Sign On section of the
organization admin settings.
Then proceed with the steps below.
Step 1. Settings
In the first step, select Okta as the identity provider. Then select the
e-mail domains for which you want to setup SSO with Okta. Finally, choose how
new users should be handled. Then select Next.
Step 2. Configure Okta
Copy the Single sign-on URL and the Audience URI. Then open the Okta
Admin Console and select Applications in the left-hand navigation.
Select Create App Integration.
In the dialog that opens, select SAML 2.0 as the Sign-in method. Then
click Next.
In the General Settings, enter Cluvio as the App name. Optionally
upload a Cluvio logo as the App logo. Then click Next.
Paste the Single sign-on URL and the Audience URI copied from Cluvio
into the equivalently named fields. Choose EmailAddress for the Name ID
format and Email for the Application username.
In the Attribute Statements section, create two attribute mappings for firstname
and lastname as shown below. Then click Next.
You may now optionally provide feedback to Okta. Click Finish to complete the
Okta app configuration.
You should now land on the detail page of your newly created app integration,
with the Sign On tab selected. Copy the Metadata URL from the settings
section, highlighted below.
Return to Cluvio to proceed with step 3.
Step 3. Configure Cluvio
Enter the Metadata URL copied at the end of the previous step from the Okta
Admin Console into the provided input field. It will be validated and processed
automatically. When the URL is valid and the Okta SAML Metadata was successfully
loaded into Cluvio, you will see the message Metadata successfully loaded!.
Click Next to proceed.
Step 4. User Access
You must now enable access to Cluvio for your Okta users in the Okta Admin
Console. Follow the instructions shown to navigate to your Cluvio app integration
in the Okta Admin Console and open the Assignments tab.
Assign people and groups as desired. Grant access at least to your own Okta user
account, in order to be able to verify the SSO configuration. After completing
user and group assignments in the Okta Admin Console, return to Cluvio and click Next
to proceed with step 5.
Step 5. Verification
Your Cluvio SSO configuration is now complete, but in order for the configuration
to be activated and SSO logins to be enabled, it must be verified. Click Verify Configuration. Cluvio will open a popup window that performs SSO authentication
with your identity provider and your Cluvio email address. If you are currently
authenticated with the identity provider the popup closes automatically and you
see a success message.
At this point, all future Cluvio logins for users with e-mail addresses in the
configured domains will redirect to Okta for authentication and Okta will
redirect back to Cluvio when authentication is successful. Click Close to
close the SSO setup wizard.
Reconfiguration
To reconfigure Okta SSO, select Reconfigure in the SSO config
drop-down menu in the organization admin
section. The following dialog
is shown.
In the Cluvio tab of the reconfiguration dialog you can see the Okta metadata
URL that Cluvio is using to periodically check for new certificates. Select
Show Metadata to reveal the SAML metadata, including the certificates
that Cluvio is currently using.
Select Reload Metadata to reload the Okta SAML metadata from the metadata URL.
If Cluvio detects any changes, it will be indicated in the dialog. There are two
use-cases for reloading metadata: Updating certificates or changing the Cluvio
SSO configuration to link with a completely new Okta app integration. While the
former needs to be done when the existing certificates expire, the latter
is only necessary if you intentionally want to delete and reconfigure your Okta
app integration for Cluvio.
In the Okta tab of the reconfiguration dialog you can see the Cluvio metadata
that must be used in the configuration of the Okta app integration in the Okta
Admin Console.
Updating Certificates
To replace an expiring certificate used by your Okta app integration for Cluvio, open the app configuration in the Okta Admin Console. The single sign-on section shows the SAML Signing Certificates.
Click Generate new certificate to create a new certificate. Only one
certificate is active at any time. The active certificate is used by Okta to
sign SSO assertions sent to Cluvio after successful authentication.
Activate the new certificate.
To update Cluvio with the new certificate, reconfigure the Okta SSO
configuration in Cluvio and select Reload Metadata. You should see an indication that
the metadata changed. Click Save & Verify to save the new metadata and verify
that the SSO configuration is functional. Verification opens a popup that
authenticates with Okta using your Cluvio email address. If verification fails,
the previous metadata is automatically restored.
Cluvio periodically polls the Okta metadata URL to check for new certificates and periodically checks for upcoming expiration of currently used certificates. If a new or expiring certificate is detected, an email notification is sent to the admins in your Cluvio organization.