Single Sign On (SSO) - Okta Configuration

1 Prerequisites
2 Adding EngageIP to Okta
3 Configuring Okta in EngageIP
4 Adding Users to Okta
5 Assigning Okta Users to EngageIP
6 Configuring User Mapping in EngageIP
7 Logging Into EngageIP From Okta
8 See Also

Prerequisites

An Okta account is needed before EngageIP can be configured for Single Sign On. You can create your account by visiting Identity | Okta
You will need two SSL certificates. One for the SAML request signing, this can either be a self signed certificate or from a public CA (e.g. GoDaddy). The other will come from Okta (see step 13 below)
To configure the Single Sign On option in EngageIP, the logged in user needs to be a member of a role that has the "OwnerSingleSignOnConfiguration" options enabled. To check this go to Setup / Roles / select the proper role / find the "OwnerSingleSignOnConfiguration" under "ROLE PERMISSIONS"

Adding EngageIP to Okta

Login to your Okta Dashboard
Click on the Applications tab in the top menu bar
Click the Add Application button
Click the Create New App button
Set the Platform to 'Web', and the Sign on method to 'SAML 2.0' and click Create
Populate an App name (e.g. 'EngageIP') for this configuration and then click Next
Configure the SAML properties with the proper IP/DNS entry in the Single sign on URL
Scroll down and click Next
Select the option: I’m an Okta customer adding an internal app and click Finish
On the EngageIP application page, click View Setup Instructions
You will be presented with information for configuring the service provider (EngageIP). Copy the data shown in 'Identity Provider Single Sign-On URL' and 'Identity Provider Issuer', and then download the certificate by clicking the Download Certificate button for use a bit later

Configuring Okta in EngageIP

Log into the web server that is running your EngageIP instance
Browse to the C:\Program Files (x86)\EngageIP\AdminPortal folder
Create a folder called 'Certificates' and place your SAML signing certificate and the certificate you downloaded in step 13 above into the new folder
Go back into the 'AdminPortal' folder and find the web.config file. Backup the config file
Open the original web.config file in a text editor
Add the below line in the <configSections> area
<section name="samlConfiguration" type="Logisense.Boss.Presentation.SamlConfigurationSection" />
Add the line below to the bottom of the web.config just above the </configuration> line
Note: this step is using your SAML Signing Certificate, not the one you downloaded from Okta
<samlConfiguration name="EngageIP" description="Engage Default" assertionConsumerServiceUrl="~/login/saml.rails" localCertificatePassword="YOUR_SAML_CERT_PSWD" localCertificatePfxFile="Certificates\YOUR_SAML_CERT.pfx" />
Important: You must save the changes you made to the web.config file. Saving the changes will cause the application pool to recycle which will terminate any active sessions and will require your users to log back into the EngageIP system ***
Login as an administrator into EngageIP
Click on Setup then scroll down to Accounts and Roles. In the Permissions area you will see the option for Single Sign On, click it to go to the SSO setup page
Configure the SSO Settings:

1. Check the Enable Single Sign On checkbox
2. Populate the Authentication URL using the 'Identity Provider Single Sign-On URL' from Okta
3. Populate the Issuer in EngageIP using the 'Identity Provider Issuer' from Okta
4. Click Choose file next to Replacement Identity Provider Certificate in EngageIP and browse to the
'Certificates' folder you created. Select the certificate you downloaded from Okta
5. Enter a Session Time Out (e.g. '1h')
6. Provide a Logout URL. This URL be any site you wish to send user to after logout, but what makes
the most sense is to use the user's Okta home. This is the same hostname as what you entered into
the 'Authentication URL' box but you would remove everything after /app/ and replace it with
/UserHome. See screenshot below for example
7. Click Save

Adding Users to Okta

Access your Okta admin dashboard
Click People in the Directory menu
Click Add Person
Fill out the applicable fields in the Add Person form and click Save

Assigning Okta Users to EngageIP

Access your Okta admin dashboard
Click People in the Directory menu
Click on the user you wish to assign EngageIP to
Click the green Assign Applications button
Click Assign for the EngageIP application that you setup
Confirm the username you want to use and then click the Save and Go Back button
Click Done

Configuring User Mapping in EngageIP

Login to EngageIP
Navigate to the Overview page for the owner you wish to configure SSO for using Okta
Click Add under the Components and then click on Single Sign On

Note: if the Single Sign On link does not appear, ensure that you've properly configured Single Sign On for this owner. See Configuring Okta in EngageIP steps above)
Configure the SSO component
Enter the 'SAML Federation ID'. This is the user name that you configured when 'Assigning Okta users to EngageIP' in the configuration steps above
Ensure that the Single Sign On Enable checkbox is checked
Click Save

Logging Into EngageIP From Okta

Navigate to your user home for the user you wish to log into EngageIP as. This is likely the same as the Logout URL that you configured for the EngageIP owner's Logout URL (e.g. oktapreview.com/app/UserHome)
Log into Okta and you should see your EngageIP application available. If not, then please see the 'Adding EngageIP to Okta' and/or 'Assigning Okta Users to EngageIP' configuration steps above
Click on the EngageIP button
You should now see the login process log you into EngageIP