Okta (SAML 2.0)

 

SSO integration using SAML requires FlexDeploy to be running using HTTPS. 

You must also download the Okta Certificate (from within the Okta Edit SAML Settings).

Download the SHA-2 certificate.

 

and import it into the keystore which was created as part of the HTTPS configuration (adjust parameters below as appropriate).

/u01/java/jdk1.8.0_281/bin/keytool -import -alias okta -file /var/tmp/okta.cert -keystore /home/oracle/flexdeploy.keystore

 

You will need to define an application in your Okta console.

Replace capitalized text with appropriate values. Update values in the configuration file as shown below.

  • FLEXDEPLOY_HOME - Directory on the server where FlexDeploy is installed

  • KEYSTORE_PASSWORD - The Java key store password.

  • PRIVATE_KEY_PASSWORD -The private key password.

  • OKTA_METADATA_URL - The URL (from Okta) to the identity provider metadata (e.g. https://dev-484624.okta.com/app/exk4c1ilhiTs3dKRb4y5/sso/saml/metadata).

  • FLEXDEPLOY_HOST - FlexDeploy application host

  • FLEXDEPLOY_PORT - FlexDeploy application port

  • AUDIENCE_RESTRICTION - The Audience Restriction or Audience URI (SP Entity ID) found in the Okta UI.

  • PATH_TO_YOUR_KEYSTORE_FILE - The path to the keystore, including the file name and extension.

Example fdsso.config file for Okta (SAML 2.0)

Change log

  • FlexDeploy 6.0.0.0 - The values for excludedPathMatcher.excludedPath, and logout.defaultUrl have changed

callbackFilter.defaultUrl = /flexdeploy saml2Config = org.pac4j.saml.config.SAML2Configuration saml2Config.keystorePath = PATH_TO_YOUR_KEYSTORE_FILE saml2Config.keystorePassword = KEYSTORE_PASSWORD saml2Config.privateKeyPassword = PRIVATE_KEY_PASSWORD saml2Config.identityProviderMetadataPath = OKTA_METADATA_URL saml2Config.maximumAuthenticationLifetime = 3600 saml2Config.serviceProviderEntityId = AUDIENCE_RESTRICTION saml2Config.serviceProviderMetadataPath = FLEXDEPLOY_HOME/apache-tomcat-flexdeploy/sso/FlexDeployMetadata.xml saml2Client = org.pac4j.saml.client.SAML2Client saml2Client.configuration = $saml2Config clients.callbackUrl = https://FLEXDEPLOY_HOST:FLEXDEPLOY_PORT/flexdeploy/callback clients.clients=$saml2Client isAuthenticatedAdmin = org.pac4j.core.authorization.authorizer.IsAuthenticatedAuthorizer excludedPathMatcher = org.pac4j.core.matching.matcher.PathMatcher excludedPathMatcher.excludedPath = /next/#/login config.authorizers = admin:$isAuthenticatedAdmin config.matchers = excludedPath:$excludedPathMatcher ssoFilter = flexagon.fd.ui.security.FlexPac4jFilter ssoFilter.config = $config ssoFilter.clients = SAML2Client ssoFilter.matchers = nocache ssoFilter.authorizers = admin logout = io.buji.pac4j.filter.LogoutFilter logout.config = $config logout.localLogout = true logout.centralLogout = true logout.defaultUrl = https://FLEXDEPLOY_HOST:FLEXDEPLOY_PORT/flexdeploy/next/#/home

 

Configuration Tips

If the Java keystore referenced (line 2) does not exist, it will automatically be created, and key will be generated and inserted into the keystore using the passwords provided (line 3 and 4).

The Okta Identity Provider Metadata can be found from within the Sign On tab of your Okta application.

The following macros are not currently supported in the footer:
  • style