Okta SAML Configuration

Prev Next

This setup instructions provide information for configuring SAML based sign-in via Okta for all users in the organization to eShare application. The Entity ID and ACS URL, referenced in this document, will be provided to you by eShare’s Customer Success team when the tenant for your organization is provisioned on the eShare platform.

  1. Login to your Okta instance admin portal, typically https://<tenant_name>-admin.okta.com/.

  2. In left navigation pane, expand the ‘Applications’ section and select ‘Applications’ from the menu.

  3. Click on ‘Create App Integration’ button.

Graphical user interface, application  Description automatically generated

  1. In the ‘Create a new app integration’ pop-up window, select “SAML 2.0” and click ‘Next’.

Graphical user interface, text, application  Description automatically generated

  1. In the ‘Create SAML Integration’ page, under ‘General Settings’ tab, input name of the app (e.g., eShare SAML App) and select ‘Next’.

Graphical user interface, application  Description automatically generated

  1. Witin the ‘Configure SAML’ tab of the same page, for ‘Single sign on URL’ input the ACS URL provided by eShare. For ‘Audience URI (Entity ID)’, input the Entity ID provided by eShare.

Graphical user interface, application  Description automatically generated

  1. Verify ‘Use this for Recipient URL and Destination URL’ is selected, as shown in the screenshot. Verify values for the following are selected:

    1. Name ID format: EmailAddress

    2. Application username: Email

    3. Update application username on: Create and update

  1. Scroll down to ‘Attributes Statements (optional)’ section. In the displayed statement, input the following:

    1. Name: firstname

    2. Name format: Unspecified – Default value, leave unchanged

    3. Value: From the drop down list, select ‘user.firstName’

  2. Select the ‘Add Another’ button.

Graphical user interface, text, application  Description automatically generated

  1. Repeat steps above to add the following statements:

    1. Name: lastname; value: user.lastName

    2. Name: email; value: user.email

    3. Name: upn; value: user.principalname

    4. Name: ncckey; value: user.objectId

    5. Name: alias; value: user.secondaryauthoritativeemail

Note: the ‘user.objectId’ attribute value and ‘alias’ attribute value mappings will may differ depending on which attributes are synched to Okta. Ensure the value mapping selected for ‘ncckey’ is any unique and immutable attribute of the user object, and the value mapping for ‘alias’  contain any alternative email addresses for the user.

A sample of completed ‘Attributes’ section is shown below:

Graphical user interface  Description automatically generated

  1. Scroll down and click ‘Next’. In the ‘Feedback’ tab, select ‘I am an Okta customer adding an internal app’ and the ‘It’s required to contact the vendor to enable SAML’ options. When done, click ‘Finish

Graphical user interface, text, application, email  Description automatically generated

  1. Setting tab is displayed. Select the ‘View Setup Instructions’ button to view details.

Graphical user interface, text, application, email  Description automatically generated

  1. A new browser tab opens in Okta to ‘How to Configure SAML 2.0 for eShare SAML Application’. Copy and send the following to your eShare Customer Success Manager:

    1. Identity Provider Single Sign-On URL

    2. X.509 Certificate

  1. Alternatively, scroll down to ‘Optional’ section, copy the entire content (XML) and send it to your eShare Customer Success Manager

  2. Switch to the ‘eShare SAML App’ browser tab in Okta Admin Console and navigate to ‘Assignments’ tab for the newly configured app. Add users and/or groups to whom the application should be assigned.

Configure Group Based Entitlement

In situations where only a subset of the authenticated users to eShare application should have the ability to share files/folders from their cloud storage service (e.g., OneDrive, Dropbox, etc.), it is necessary for the Okta to include the Group information of such users.

If users are members of the designated Group, the SAML statement sent by Okta to eShare during the user’s login would include the Group attribute. This allows eShare to consume the Group attribute and enable the cloud storage service. If the Group attribute is not available for the user (because the user is not a member of the Group), such users would be able to access eShare but will only be able to access Trusted Shares received by them.

To configure Okta to include Group attribute in SAML statement:

  1. Login to Okta Admin Console. Switch to ‘Applications‘ > ‘Applications’ > ‘eShare SAML App’ (as configured above).

  2. Select the ‘General’ tab, then the ‘Edit’ button under ‘SAML Settings’ section.

  3. Within the ‘Group Attribute Statements (optional)’ section, input any name for ‘Name’. For ‘Filter’ select ‘Equals’ and input name of the target Group. Members of this group would be provisioned with Cloud Provider in eShare application.

  4. Select ‘Next’ to save the changes.

Graphical user interface, text, application  Description automatically generated