Configure Single Sign On with SAML via Okta

OverOps Experts
, , ,
1

The purpose of this article is to demonstrate how to setup Single Sign On via SAML with Okta to be used with OverOps and to be able to control which roles users will be assigned to based on group level access in Okta.

Please reference the following documents for information regarding SAML:

Creating Application to Use with OverOps

  1. From the Applications section, click on Add Application.

image
image1014×652 99.9 KB

  1. Click on Create New App.

image
image1276×782 145 KB

  1. Ensure to have selected the following:
  • Platform: Web
  • Sign on method: SAML 2.0

Then click on Create.

image
image1036×701 102 KB

  1. Enter the SAML Settings that will be used for your environment:

Enter other settings as noted in screenshot. Ensure to enter the role attribute as this will be used later to assign specific users to certain environments within Overops.

For this example, we will use http://mytest.local:8080/saml/global for demonstration purposes.

Click Next.

image
image729×854 153 KB

  1. Select the following options:
  • Are you a customer or partner?: I’m an Okta customer adding an internal app
  • App type: This is an internal app that we have created

image
image734×641 122 KB

  1. Once your new OverOps application is loaded, click on the Sign On tab, then click on View Setup Instructions.

image
image733×914 105 KB

  1. Scroll down to the bottom of the page to see your new metadata under the Optional section to be used for your environment. Highlight and copy the data inside this box.

NOTE: Ensure that there are no line breaks or paragraph breaks BEFORE using this. Instructions on how to use this for on-prem solutions can be viewed by here: SAML Configuration for On-Premises

image
image817×452 190 KB

  1. Assign users to the OverOps application to test with. Click on Assign->Assign People->next to user click Assign->click Save and Go Back->Done

image
image742×662 79.9 KB

image
image714×622 50.3 KB

  1. Open a new browser page and type the backend address in the address field (i.e. http://mytest.local:8080). Test your login credentials for the user you have created to test with.

image
image437×762 78.2 KB

image
image1920×1035 110 KB

Adding Roles/Groups to Access Specific Environments

  1. Create different groups for each environment to be used within your OverOps. This will serve for different roles that can be used in OverOps (Admin, Member, Viewer).

For this example, we will use TestKey01 and AnotherTestKey02 as names for the OverOps environments. We will create different groups within Okta that will serve for Admin, Member, and Viewer for each environment. We also assigned a test user to be provided Member access to TestKey01 and Viewer access to AnotherTestKey02.

image
image1272×838 173 KB

  1. Go to the Applications section, select Groups and assign the OverOps application to each group to be used to access the OverOps environment.

image
image779×671 155 KB

NOTE: If the following screen comes up, leave blank, then click Save and Go Back.

image
image630×599 70.1 KB

  1. Scroll your mouse over the Directory section, then click on Profile Editor.

  2. Click Profile next to your OverOps application.

image
image1022×602 112 KB

  1. Click on Add Attribute.

image
image1022×567 92.3 KB

  1. Enter the role attribute with fields as shown in screenshot below, then click Save.

image
image710×721 117 KB

  1. Go back to the Profile Editor section. Click on Mappings next to the OverOps application.

image
image1264×955 160 KB

  1. On the top of the page, click Okta User to (i.e. OverOpsTest).

  2. Map the groups users will need access to next to the new role attribute using the following syntax:

String.join(", ", isMemberOfGroupName("<S2AdminGroupName>") ? "<NameofEnvironment1> Admin" : null, isMemberOfGroupName("<S2MemberGroupName>") ? "<NameofEnvironment1> Member" : null, isMemberOfGroupName("<S2ViewerGroupName>") ? "<NameofEnvironment1> Viewer" : null, isMemberOfGroupName("<S3AdminGroupName>") ? "<NameofEnvironment2> Admin" : null, isMemberOfGroupName("<S3MemberGroupName>") ? "<NameofEnvironment2> Member" : null, isMemberOfGroupName("<S3ViewerGroupName>") ? "<NameofEnvironment2> Viewer" : null)

For this example, using the following string command:
String.join(", ", isMemberOfGroupName(“TestKey01_Admin_Group”) ? “TestKey01 Admin” : null, isMemberOfGroupName(“TestKey01_Member_Group”) ? “TestKey01 Member” : null, isMemberOfGroupName(“TestKey01_Viewer_Group”) ? “TestKey01 Viewer” : null, isMemberOfGroupName(“AnotherTestKey02_Admin_Group”) ? “AnotherTestKey02 Admin” : null, isMemberOfGroupName(“AnotherTestKey02_Member_Group”) ? “AnotherTestKey02 Member” : null, isMemberOfGroupName(“AnotherTestKey02_Viewer_Group”) ? “AnotherTestKey02 Viewer” : null)

  1. Click on arrow next to string and select Apply mapping on user create and update.

image
image1264×1004 285 KB

  1. Click on the Preview field on the bottom of the page and enter a user account that has at least one of the groups assigned to the account. This will return the value of the groups the user is assigned to.

image
image1009×929 126 KB

  1. On the bottom of the page, click Exit Preview, then click on Save Mappings.

  2. From the Applications section, go to the OverOps applications, select Sign On tab, click on Update Now to update users with their newly assigned groups.

image
image732×883 99.9 KB

  1. Sign in the dashboard as the test user to view each environment to confirm the appropriate access has been provided.

image
image1350×543 101 KB