TECHNICAL NOTE
Fasoo SAML integration (Okta SSO)
An Okta administrator can create a SAML application to use Okta Single Sign On (SSO) for Fasoo administrator interface and client authentication. This allows the organization to use its existing Okta identity, security and tracking technologies to control access to Fasoo services.
1.1 Request SAML Configuration Parameters from Fasoo
The setup process requires variables unique to each customer’s Okta and Fasoo deployments. Please contact your Fasoo technical contact or the Fasoo Help Desk to obtain the correct Fasoo information required for this process.
Request the following parameters from Fasoo.
The text in red below will contain the domain unique to your Fasoo deployment.
Parameter | Example Setting |
Audience URL (SP Entity ID) | https://fds.fasoo.com:443/ |
Reply URL (Assertion Consumer Service) | https://fds.fasoo.com:443/fed5/services/samlv20/acs |
Sign on URL | https://fds.fasoo.com:443/fed5/services/samlv20/acs |
Logout URL | https://fds.fasoo.com:443/fed5/services/samlv20/logout |
1.2 Create SAML Application within Okta Admin Portal
Execute the following steps to prepare the SAML application.
1. Login to https://www.okta.com using an Admin account.
2. Go to the Admin portal by clicking the Admin button located in the top right corner of the interface.
3. Navigate to Applications > Applications and click the Create App Integration button.
4. Within the Create a new app integration wizard, select SAML 2.0 and click Next.
5. In General Settings, create an App Name, upload an App logo and click Next. The App logo is optional.
6. In Configure SAML, enter the values from the table below into the appropriate fields substituting your Fasoo domain
for the text in red. Use the values you got from Fasoo in section 1.1 to complete this section.
OKTA SAML parameter | Parameter from Fasoo | Example Setting |
Single sign on URL | Sign on URL | https://fds.fasoo.com:443/fed5/services/samlv20/acs |
Audience URI (SP Entity ID) | Audience URL (SP Entity ID) | https://fds.fasoo.com:443/ |
Check "Use this for Recipient URL and Destination URL".
7. Click on Show Advanced Settings.
8. Click the Browse files… button beside Signature Certificate.
9. Upload the certificate used for logout.
10. Enter the “Logout URL” value you got from Fasoo in section 1.1 in the “Single Logout URL” field below.
The format is https://domain:443/fed5/services/samlv20/logout. Substitute your Fasoo domain for the text in red.
11. Scroll to the bottom of the page and click Next.
12. Select I’m an Okta customer adding an internal app
Select This is an internal app that we have created
Scroll to the bottom of the page and click Finish.
1.3 Acquire Okta Data Required for the Fasoo Server Configuration
1. Click on View SAML Setup Instructions.
Note: Clicking the View SAML setup instructions button will open a new browser tab displaying the data required for the Fasoo server configuration.
2. Copy and send the following information to your Fasoo Server setup/support team from the screen below.
- Identity Provider Single Sign-On URL
- Identity Provider Single Logout URL
- Identity Provider Issuer
- X.509 Certificate (download and send the crt file)
Note: Not all values are used in every deployment, but provide all 4 items to your Fasoo setup/support team.
1.4 Assign Users/Groups to Newly Created SAML App
1. Go to the Assignments tab, click on Assign and select the desired assignment option.
2. Select either People or Groups to assign to the SAML app.
3. From the opened dialog box, click the Assign button adjacent to every user or group desired.
4. When finished with all assignments, click the Done button.
5. Now when users login to Okta they will see all apps that are assigned to them.
6. If you are not responsible for the setup of the Fasoo server SAML configuration, please ensure the Fasoo setup team
received the following to configure the Fasoo server and await further instructions. You are now finished with your
setup process.
- Identity Provider Single Sign-On URL
- Identity Provider Single Logout URL
- Identity Provider Issuer
- X.509 Certificate (download and send the crt file)
7. If you are responsible for the setup of Fasoo server SAML configuration, please continue with the steps in section 1.5.
1.5 Fasoo server SAML configuration (Okta SSO)
A Fasoo server administrator can now configure the Fasoo service using the items acquired in section 1.3 to allow access using Okta.
1. Open [Install Drive]:\Fasoo\FED5\webapps\fed5\WEB-INF\fasoo\config\appserver.config using a text editor such as
Notepad++. Your path may be different depending on the installation requirements.
2. Modify the following values to both enable and accommodate OKTA SAML authentication. Modify the items in the
appserver.config file to match the below items in red. Use your Identity Provider Single Sign-On URL value for the
values in green and the identity provider domain for the value in blue.
<samlv20 enabled="true" web-enabled="true">
<id-attribute-name>id</id-attribute-name>
<saml-request-id-verifier enabled="true" />
<idp> <sso-url>https://domain/app/xxx/xxx/sso/saml</sso-url> <sso-binding>post</sso-binding><!-- get, post -->
<sso-logout-url>https://domain</sso-logout-url> <sso-logout-binding>post</sso-logout-binding>
<user-id-url>https://domain/app/xxx/xxx/sso/saml</user-id-url> <user-id-param-name>username</user-id-param-name>
<user-pw-url>https://domain/app/xxx/xxx/sso/saml</user-pw-url> <user-pw-param-name>pwd</user-pw-param-name> </idp>
<login-with-token enabled="true" />
</samlv20>
|
Example: Use the appserver.config sample below as reference to locate the items referenced above.
3. Restart the FED5 service on the Fasoo server to enable SAML for Fasoo services.
4. Access the FED administrator console through a web browser (e.g. https://fed5.fasoo.com/fed5). This is the Fasoo
service URL referenced in section 1.1.
5. Click the “Log in with SAML” button and enter Okta credentials to access the console. Ensure your admin account has
been granted administrative privileges to access the Fasoo console.
6. Log into a Fasoo client on a PC or Mac with Okta credentials.