This basic guide shows how to configure Okta for Admin SSO with uStudio Platform. Please note that this guide may not cover everything your organization may want to set up.
- Login into Okta as an Admin.
- Click Create App Integration under the Applications section.
- Select SAML 2.0 as the application template.
- Click Next to proceed.
- Under General Settings, set App name to uStudio Admin SSO.
- Select "Do not display application icon to user" because we use other URLs to login.
- Select "Do not display application icon in the Okta Mobile app" because we use other URLs to login.
- Click Next to proceed.
- Under SAML Settings, set Single sign-on URL to https://login.ustudio.com/auth/realms/platform-users/broker/companycode/endpoint and make sure to replace companycode with your Company Code provided by uStudio.
- Ensure "Use this for Recipient URL and Destination URL" is select.
- Set Audience URI (SP Entity ID) to https://login.ustudio.com/auth/realms/platform-users/broker/companycode/endpoint and make sure to replace companycode with your Company Code provided by uStudio.
- Ensure Default RelayState is blank.
- Ensure Name ID format is set to Unspecified.
- Ensure Application username is set to Okta username.
- Ensure Update application username on is set to Create and update.
- Scroll down to Attribute Statements.
- Click Add Another 3 times.
- On row 1, set Name to given_name and Value to user.firstName.
- On row 2, set Name to family_name and Value to user.lastName.
- On row 3, set Name to email and Value to user.email.
- Scroll down to until you see the preview for the SAML Assertion section.
- Click Next to proceed.
- Under Feedback, select "I'm an Okta customer adding an internal app."
- Select "This is an internal app that we have created."
- Click Finish to proceed.
- Metadata & Certificate Swapping. Now you should be in the Sign On tab where you can scroll down to the SAML 2.0 section. Please send your Metadata URL to uStudio and wait for uStudio to provide you a X509 Certificate back.
- After you have received our X509 Certificate, please go to the General tab and click Edit under the SAML Settings.
- Click Next to proceed.
- Scroll down until you see "Show Advanced Settings" and click it to expand the options.
- Ensure Response is set to Signed.
- Ensure Assertion Signature is set to Signed.
- Ensure Signature Algorithm is set to RSA-SHA256.
- Ensure Digest Algorithm is set to SHA256.
- Ensure Assertion Encryption is set to Unencrypted.
- Upload our X509 Certificate to Signature Certificate.
- Ensure "Allow application to initiate Single Logout" is deselected.
- Ensure "Validate SAML requests with signature certificates" is deselected.
- Ensure "Other Requestable SSO URLs" is blank.
- Ensure Assertion Inline Hook is set to None.
- Ensure Authentication context class is set to PasswordProtectedTransport.
- Ensure Honor Force Authentication is set to Yes.
- Ensure SAML Issuer ID is set to http://www.okta.com/${org.externalKey}
- Scroll down to the Preview the SAML Assertion section and click Next to proceed.
- Click Finish to proceed.
- Go to the Assignments tab and assign People or Groups to this application.
- Now you may proceed to admin onboarding as documented here: https://ustudio.zendesk.com/hc/en-us/articles/360052700771-Platform-SSO-SAML-Connection-Process