How to configure SAML with Okta

Introduction

OpenVPN Access Server 2.11 and newer supports authentication using SAML with Okta as the identity provider. You can configure this in Okta with Access Server as your service provider.

The following steps walk you through how to enable SAML authentication for users and groups from Okta to Access Server.

Before you begin

You need the following to get started:

Note: We recommend using all lowercase usernames when logging in with SAML.

Step 1: Create the Okta SAML application

With Okta, you must create a custom SAML application.

First, gather information about your Access Server as the service provider (SP).

  1. Sign in to your Access Server Admin Web UI.
  2. Click Authentication > SAML.
  3. You’ll need the following information:
    • SP Identity.
    • SP ACS.

Now that you have your SP information, you can create a new Okta SAML app and enter that information during app creation:

  1. Sign in to your Okta admin dashboard.
  2. From Applications, create a new app integration.
  3. Select SAML 2.0 and click Next.
  4. Provide an App name and App logo, choose the App visibility, then click Next.
  5. Use the SP information from Access Server to enter the following into the Okta:
    • Single sign on URL: Enter the Access Server SP ACS.
    • Audience URI (SP Entity ID): Enter the Access Server SP Identity.
    • Default RelayState: Enter ‘cws’ for the Client Web UI or ‘profile’ to provide users with a downloadable profile. (For more details, refer to “How to set up IdP-initiated flow” below.)
  6. Click Next.

To download the Okta metadata file for automatic configuration (option 1):

  1. With your new app, click View SAML setup instructions under the Sign On tab.
  2. Under Optional, select the XML and copy it, then create an XML file with the copied metadata.

To copy the Okta SAML data for manual configuration (option 2):

  1. With your new app, click View SAML setup instructions under the Sign On tab.
  2. Copy the content in Identity Provider Single Sign-On URL, Identity Provider Issuer, and X.509 Certificate.

Step 2: Configure Okta SAML data with Access Server

The simplest way to set up Okta SAML for Access Server is by providing the metadata XML file (option 1), but you can also manually configure (option 2).

To upload the Okta metadata file in the Admin Web UI (option 1):

Provide the downloaded metadata XML file to your Access Server through the Admin Web UI to automatically configure SAML:

  1. Sign in to your Access Server Admin Web UI.
  2. Click Authentication > SAML.
  3. Click Configure Identity Provider (IdP) Automatically via Metadata to expand the section.
  4. Click Choose File for Select IdP Metadata File.
  5. Select your Okta metadata XML file and click Upload, then Update Running Server.
  6. The IdP fields are now populated under Configure Identity Provider (IdP) Manually.

To manually configure Okta SAML (option 2):

  1. Sign in to your Access Server Admin Web UI.
  2. Click Authentication > SAML.
  3. Click Configure Identity Provider (IdP) Manually to expand the section.
  4. Paste the following from Okta to the Access Server fields:
    • Paste the Okta Identity Provider Single Sign-On URL into Access Server’s Sign On Endpoint.
    • Paste the Okta Identity Provider Issuer into Access Server’s IdP EntityId.
    • Paste the Okta X.509 Certificate into Access Server’s Certificate (PEM format).
  5. Click Save, then Update Running Server.
  6. The IdP fields save.

Step 3: Assign SAML as user authentication

Once you’ve provided the SAML configuration for OneLogin, you can enable it for users.

  1. Sign in to the Admin Web UI.
  2. Click Authentication > SAML.
  3. Click the toggle to turn on Enable SAML authentication, then click Save Settings and Update Running Server.
  4. You can now enable SAML as the global default authentication or for specific groups and users.

Step 4: Assign the Okta app to users

You must assign this app to users or groups in Okta:

  1. Sign in to the Okta admin dashboard.
  2. Select your SAML app and click the Assignments tab.
  3. Assign the SAML app to users or groups, or you can assign it to everyone:
    • Click Assign > Assign to Groups.
    • Click Assign for Everyone and click Done.

All users in your organization should now have access to your Access Server SAML app.

How to set up IdP-initiated flow (optional)

You can configure an IdP-initiated flow for signing into Access Server from Okta with the following steps:

  1. Sign in to the Okta admin dashboard.
  2. Click Applications > Applications, and click your custom SAML app.
  3. Click General and edit for SAML settings.
  4. Under 2 Configure SAML, enter one of the following for Default RelayState:
    • cws: This directs your users to the Client Web UI after sign-in.
    • profile: This directs your users to a profile download after sign-in.
  5. Save changes.

Your users can now sign in to Okta and find the Access Server SAML application under My Apps.