Okta is an identity management service. It gives users access to various software with one successful Okta log in. This example provides step-by-step instructions on how to set up the application in Okta and in the MFT Server Manager interface. When complete, an MFT Server user will be able to log in to the MFT Server Web Client application using Okta. The images provided under the Okta Instructions are taken from the Okta Admin console. Most images are snippets and not the complete page.
Okta Instructions
1. Sign in to the Okta admin console.
2. Using the left sidebar menu, navigate to Applications > Applications.
3. Click on the Create App Integration button.
4. In the Create a new app integration pop-up dialog, choose SAML 2.0 and click Next.
In the Create SAML Integration dialog:
5. (1) General Settings - enter an App name (for example: MFT Server Web Client). See figure 413. Click Next.
Figure 413
6. (2) Configure SAML, enter values for the following: (See figure 414).
a. Single sign-on URL - use the URL format: http://<hostname>:<port>/sso/<domain_name>/login (for example: http://localhost:8880/sso/Domain2/login).
b. Audience URI (SP Entity ID) - any ID (for example: jscape).
c. Name ID format - This value should remain Unspecified. Click Next.
Figure 414
7. (3) Feedback - select I'm an Okta customer adding an internal app, then click Finish. See figure 415.
Figure 415
The page will refresh displaying the App name you entered previously, and the Sign On tab will be active. See figure 416.
8. On this page, scroll down to the SAML Signing Certificates section. then click on View SAML setup instructions.
Figure 416
9. A new page will open with Idp details. Copy the Identity Provider Single Sign-On URL value and download the X.509 Certificate. You will need the URL and certificate when configuring Okta in the MFT Server Manager application.
10. Using the left menu, navigate back to Applications > Applications.
11. Click the Assign Users to App button. Check the following:
a.Under the Application & Label list, check the application you specified in Step 5.
b.Under the Person & Username, check the User who will be accessing the MFT Server Web Client. See figure 417. Click Next.
Figure 417
12. Click on the Confirm Assignments button.
This completes the Okta configuration.
MFT Server Instructions:
Launch the MFT Server Manager interface.
Click on Keys > Host Keys. Click on Import, then select Import File from the dropdown list. The Import Public Key dialog will appear.
Key alias - enter the desired alias name.
Key file - enter the file name you downloaded in Step 9 of the Okta instructions.
Edit the domain the Okta user will have access to. (Click on Domains > View Domains, then select the domain to edit.)
Navigate to ACCOUNTS > Authentication > Web SSO tab.
Sign-in URL - paste the URL you copied in Step 9 of the Okta instructions.
Sign-out URL - enter the desired sign-out URL (for example: https://localhost:8880).
Verification Certificate - select the Host Key that you imported into Keys > Host Keys.
Create user if not found using template - check this box which will allow the system to create the user if they don't already exist in the Users table.
Log in to the MFT Server Web Client using a URL with this format: http://<host>:port/sso/<domain>/login (For example: http://localhost:8880/sso/Domain2/login)
If you have already authenticated with the Okta identity provider, you will be automatically logged in to the MFT Server Web Client application.
If you have not authenticated with the Okta identity provider, you will be presented with the Okta log in page. If you successfully authenticate, the MFT Server Web Client application will load.
Note: New user - If the user logging in is a new user, not yet in YourDomain > ACCOUNTS > Users > Users grid, the same behavior will occur as described above only if the Create user if not found using template field is checked, as depicted in figure 418. When checked, the user is automatically added to the Users table after the first-time they successfully authenticate. When the Create user if not found using template field is not checked, the user will be presented with the standard MFT Server Web Client log in page and they will not be able to log in using Okta SSO. If Allow non SSO logins is not checked (as depicted in figure 418), then only Okta SSO log in's will be allowed.
Figure 418
