Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Current »

Prerequisites

  • An Okta account is needed before EngageIP can be configured for Single Sign On.  You can create your account by visiting https://www.okta.com/

  • You will need two SSL certificates. One for the SAML request signing, this can either be a self signed certificate or from a public CA (e.g. GoDaddy). The other will come from Okta (see step 13 below)

  • To configure the Single Sign On option in EngageIP, the logged in user needs to be a member of a role that has the "OwnerSingleSignOnConfiguration" options enabled. To check this go to Setup -> Roles -> select the proper role -> find the "OwnerSingleSignOnConfiguration" under "ROLE PERMISSIONS"

Adding EngageIP to Okta

  1. Login to your Okta Dashboard

  2. Click on the Applications tab in the top menu bar

  3. Click the Add Application button

  4. Click the Create New App button


  5. Set the Platform to 'Web', and the Sign on method to 'SAML 2.0' and click Create

  6. Populate an App name (e.g. 'EngageIP') for this configuration and then click Next

  7. Configure the SAML properties with the proper IP/DNS entry in the Single sign on URL

  8. Scroll down and click Next

  9. Select the option: I’m an Okta customer adding an internal app and click Finish

  10. On the EngageIP application page, click View Setup Instructions

  11. You will be presented with information for configuring the service provider (EngageIP). Copy the data shown in 'Identity Provider Single Sign-On URL' and 'Identity Provider Issuer', and then download the certificate by clicking the Download Certificate button for use a bit later

Configuring Okta in EngageIP

  1. Log into the web server that is running your EngageIP instance

  2. Browse to the C:\Program Files (x86)\EngageIP\AdminPortal folder

  3. Create a folder called 'Certificates' and place your SAML signing certificate and the certificate you downloaded in step 13 above into the new folder

  4. Go back into the 'AdminPortal' folder and find the web.config file. Backup the config file

  5. Open the original web.config file in a text editor

  6. Add the below line in the <configSections> area

    <section name="samlConfiguration" type="Logisense.Boss.Presentation.SamlConfigurationSection" />
  7. Add the line below to the bottom of the web.config just above the </configuration> line
    Note: this step is using your SAML Signing Certificate, not the one you downloaded from Okta

    <samlConfiguration name="EngageIP" description="Engage Default" assertionConsumerServiceUrl="~/login/saml.rails" localCertificatePassword="YOUR_SAML_CERT_PSWD" localCertificatePfxFile="Certificates\YOUR_SAML_CERT.pfx" />

    Important: You must save the changes you made to the web.config file. Saving the changes will cause the application pool to recycle which will terminate any active sessions and will require your users to log back into the EngageIP system ***

  8. Login as an administrator into EngageIP

  9. Click on Setup then scroll down to Accounts and Roles. In the Permissions area you will see the option for Single Sign On, click it to go to the SSO setup page

  10. Configure the SSO Settings:


1. Check the Enable Single Sign On checkbox
2. Populate the Authentication URL using the 'Identity Provider Single Sign-On URL' from Okta
3. Populate the Issuer in EngageIP using the 'Identity Provider Issuer' from Okta
4. Click Choose file next to Replacement Identity Provider Certificate in EngageIP and browse to the
'Certificates' folder you created. Select the certificate you downloaded from Okta
5. Enter a Session Time Out (e.g. '1h')
6. Provide a Logout URL. This URL be any site you wish to send user to after logout, but what makes
the most sense is to use the user's Okta home. This is the same hostname as what you entered into
the 'Authentication URL' box but you would remove everything after /app/ and replace it with
/UserHome. See screenshot below for example
7. Click Save

Adding Users to Okta

  1. Access your Okta admin dashboard

  2. Click People in the Directory menu

  3. Click Add Person

  4. Fill out the applicable fields in the Add Person form and click Save

Assigning Okta Users to EngageIP

  1. Access your Okta admin dashboard

  2. Click People in the Directory menu

  3. Click on the user you wish to assign EngageIP to

  4. Click the green Assign Applications button

  5. Click Assign for the EngageIP application that you setup

  6. Confirm the username you want to use and then click the Save and Go Back button

  7. Click Done

Configuring User Mapping in EngageIP

  1. Login to EngageIP

  2. Navigate to the Overview page for the owner you wish to configure SSO for using Okta

  3. Click Add under the Components and then click on Single Sign On


    Note: if the Single Sign On link does not appear, ensure that you've properly configured Single Sign On for this owner.  See Configuring Okta in EngageIP steps above)

  4. Configure the SSO component

  5. Enter the 'SAML Federation ID'.  This is the user name that you configured when 'Assigning Okta users to EngageIP' in the configuration steps above

  6. Ensure that the Single Sign On Enable checkbox is checked

  7. Click Save

Logging Into EngageIP From Okta

  1. Navigate to your user home for the user you wish to log into EngageIP as.  This is likely the same as the Logout URL that you configured for the EngageIP owner's Logout URL (e.g. oktapreview.com/app/UserHome)

  2. Log into Okta and you should see your EngageIP application available.  If not, then please see the 'Adding EngageIP to Okta' and/or 'Assigning Okta Users to EngageIP' configuration steps above

  3. Click on the EngageIP button

  4. You should now see the login process log you into EngageIP

See Also

  • No labels