Skip to main content

Adding an Okta SSO

info

To add an Okta SSO, you must have the Administrative privileges in your organization’s Okta SSO and one of the following Flexera One roles: Manage organization or Administer organization. For complete descriptions of each role available in Flexera One, see Flexera One Roles.

Perform the following tasks in sequential order to create a single sign-on using Okta.

note

For further information on Okta SSO, see:

Step 1: Creating a SAML 2.0 Application in Okta

To create a SAML 2.0 application:

  1. Sign in to Okta’s Admin Console using your Okta account’s administrator credentials.
  2. Click Applications and then click Add Application.
  3. Click Create New App.
  4. In the Create a New Application Integration window. perform the following steps:
    1. For Platform, select Web.
    2. For Sign on method, select SAML 2.0.
    3. Click Create.
  5. On the Create SAML Integration screen’s General Settings section, complete and save the following fields:
    • App name
    note

    The app name can only consist of UTF-8, 3 byte characters.

    • App logo (optional)

    • App visibility

  6. Click Next.
  7. Continue with the steps in Step 2: Setting Up Okta SSO With SAML 2.0 Using Temporary Values.

Step 2: Setting Up Okta SSO With SAML 2.0 Using Temporary Values

To set up Okta SSL with SAML 2.0 using temporary values:

  1. On the Create SAML Integration screen’s Configure SAML section, complete the following fields with temporary values in an https:// format. You will later populate these fields with actual values.

    • Single Sign-On (SSO) URL

    • Audience URI (Service Provider Entity ID)

  2. Continue with the steps in Step 3: Downloading Okta’s SAML Signing Certificate.

Step 3: Downloading Okta’s SAML Signing Certificate

To download Okta’s SAML signing certificate:

  1. On the right side of the Configure SAML section on the Create SAML Integration screen, go to Okta Certificate and click Download Okta Certificate.
  2. Save Okta’s SAML signing certificate so that it can be later uploaded to Flexera One.
  3. Click Next.
  4. Complete the Create SAML Integration screen’s Feedback section.
  5. Click Finish.
  6. Continue with the steps in Step 4: Setting Up an Identity Provider in Flexera One.

Step 4: Setting Up an Identity Provider in Flexera One

To set up an identity provider in Flexera One:

  1. Sign in to Flexera One (for details, see Log In to Flexera One or Reset Your Password).

  2. Go to Administration and click Identity Providers.

  3. On the Identity Providers screen:

    • If adding a new identity provider, click New Identity Provider.

    • If editing an existing identity provider, select your identity provider’s listing on the left and click Edit.

  4. In the new identity provider record, click the General tab and complete the following fields.

    note

    To populate some of the following fields in Flexera One, you must copy information from Okta. In Okta’s Admin Console, go to the Applications tab, and select Sign On. In the Settings section, click the View Setup Instructions for SAML 2.0.

    FieldDescription
    Name*Enter the display name of your identity provider. Example: Okta
    IDP SSO URL*In Okta, copy the Identity Provider Single Sign\-On URL and paste it into this field. This URL is the endpoint responsible for receiving SAML AuthnRequest messages. It is also the URL Flexera One’s sign in process uses to verify your users and log them in. Example: https://mycompanyname.mysamlprovider.com/app/myorg456_test123/exjo2H0GTZ357/sso/saml
    Issuer URI*In Okta, copy the Identity Provider Issuer and paste it into this field. This URL is a global unique identifier for SAML entities to your identity provider SAML application setup. Example: https://mysamlprovider.com/exjo2H0GTZ357
    Discovery HintEnter unique values to help users navigate more quickly to your organization’s federated identity provider sign-in page.
    Note: If you include special characters in the Discovery Hint, be aware that following characters (including spaces) are the only permissible special characters: :( )_+-.@
    Info: For Okta, if you do not enter a Discovery Hint , you cannot enable service provider-initiated single sign-on. You would need to go to your identity provider and click the Flexera One application to sign in.
    Signature Certificate*Drag and drop to upload, or browse for your Okta Certificate (x.509 certificate) that is used to verify SAML message and assertion signatures.
    Logout Redirect URLWhen you sign in to Flexera One through your organization's identity provider, you will be directed to a logout redirect URL when your session ends. A Flexera One session may end when you log out or when your session expires due to inactivity. If no logout redirect URL is set, you will be directed to the Flexera One sign in page when your session ends. One suggested use for this feature is to set the logout redirect URL to the homepage of your organization's identity provider. An https:// URL is strongly recommended. However, an http:// URL is also valid).
    Note: When the logout redirect URL is changed, it only affects newly created sessions after the update. Any session already active during the update will not be affected by the update. To observe the changed behavior, log out of Flexera One, then sign in to Flexera One again through the identity provider and when that session ends, the new logout redirect value will be active.
    note

    All fields marked with an asterisk (*) are required.

  5. If you click the Show Advanced Settings link, the following additional fields are displayed. The default options are noted below for your reference. Changes to these settings are rarely required. You only need to reveal these settings if changes are needed.

    FieldDescription
    Request BindingSelect the SAML Authentication Request Protocol binding used by your identity provider to send SAML AuthnRequest messages to the IDP.Enum: HTTP-POST (This is the default option.), HTTP-REDIRECT
    Request Signature AlgorithmSelect the signature algorithm used to sign SAML AuthnRequest messages sent to the IDP.Enum: SHA-256 (This is the default option.), SHA-1
    Response Signature AlgorithmSelect the minimum signature algorithm when validating SAML assertions issued by the IDP.Enum: SHA-256 (This is the default option.), SHA-1
    Response Signature VerificationSelect the protocol to use when authenticating users from this IDP.Enum: Response or Assertion (This is the default option.), Response, Assertion
    Sign Authorization Request (optional)Select this option if you wish to have Flexera One enable signing AuthnRequest (authentication) messages to your identity provider. Signing these AuthnRequest messages increases the security of your transactions between your identity provider and Flexera One. Make sure your identity provider supports verifying AuthnRequests before enabling this feature. If you enable this feature, you must go to Creating a New Signing Key and create the Flexera One signing key to submit to your identity provider for verifying authorization requests.

  6. Click Save.

  7. Continue with the steps in Step 5: Setting Up Okta SSO With SAML 2.0 Using Actual Values.

Step 5: Setting Up Okta SSO With SAML 2.0 Using Actual Values

To set up Okta single sign-on with SAML 2.0 using actual values:

  1. In Okta’s Admin Console, go to the Applications tab, and select General.
  2. In the SAML Settings section, click Edit.
  3. On the Edit SAML Integration screen, click Configure SAML.
  4. In the Single Sign-On URL field, copy and paste Flexera One’s Assertion Consumer Service (ACS) URL. The information to be copied is generated in step 4 of Step 4: Setting Up an Identity Provider in Flexera One. For example: https://secure.flexera.com/sso/saml2/<someChars>
  5. In the Audience URI (SP Entity ID) field, copy and paste Flexera One’s Service Provider Entity ID. The information to be copied is generated in step 4 of Step 4: Setting Up an Identity Provider in Flexera One.
  6. Save all your settings.
  7. Continue with the steps in Step 6: Testing the Okta SSO.

Step 6: Testing the Okta SSO

Perform the following tasks to test the Okta single sign-on.

Adding and Verifying a Domain

To add and verify a domain:

  1. Complete all the steps for Adding a Domain and Verifying a Domain With a TXT Record.
  2. Continue with the steps in Assigning a User or Group to Test the Okta SSO.

Assigning a User or Group to Test the Okta SSO

To assign a user or group to test the Okta SSO:

  1. In Okta’s Admin Console, go to the Applications tab and select Assignments.
  2. Click Assign.
  3. Click Assign to People or Assign to Groups.
  4. Select the appropriate user or group and click Assign.
  5. Click Done.