¶ Introduction
This document describes how to configure Okta to support SAML SSO with the Wyebot cloud dashboard.
The Wyebot cloud dashboard supports IdP-initiated SAML SSO. This means the browser session starts at the IdP where the user logs in - not at the Wyebot cloud dashboard. After a successful authentication, the user’s browser session is redirected to the Wyebot dashboard where the session is validated and the user is granted access. The main benefit of SAML SSO is that user credentials are only stored locally in an organization’s infrastructure.
All SAML users are treated as Administrators on the Wyebot dashboard. Limited users are currently not supported for SAML authentication.
On the Wyebot dashboard, user types of Admin and Limited are considered Local users. Password information for these users is stored locally in the Wyebot cloud database. SAML users are Non-Local users and no password information is stored locally for them.
You must always have at least one Local user configured on the dashboard. If your organization wishes to exclusively use SAML users, simply keep one Local user account configured on the dashboard. A Local user can have the same username as a SAML user.
¶ Terms Used in This Document
SAML - Security Assertion Markup Language is a standardized method of authenticating and redirecting browser sessions.
SSO - Single Sign-On allows a user to log into one site and reuse credentials across multiple other sites.
Identity Provider (IdP) - The device or provider that performs the authentication. In this example, the authentication is done by Active Directory.
Service Provider (SP) - The service that a user wishes to use. In this example, the SP is the Wyebot cloud dashboard.
SAML User - The user that is attempting to authenticate and access the SP. The user’s credentials are not stored on the SP, only on the IdP.
Consumer URL - The URL an IdP forwards a SAML request to following a successful authentication.
¶ Instructions
- Click the Create App Integration button on the Applications page of your Okta dashboard.
- Select SAML 2.0
- Set name and App visibility to your preference
- Set Single sign-on URL and Audience URI to https://cloud.wyebot.com temporarily. We will update these later. Set the attributes for wyebot-username, wyebot-firstname, and wyebot-lastname.
-
Download the SHA-2 certificate from the Application's Sign On page. The certificate will need to be converted into the fingerprint that Wyebot requires. This can be done with OpenSSL
-
In Wyebot, head to the Management > Users page, enable SAML Authentication, and click the blue Add IdP button.
- Set the name according to preference and paste in the fingerprint you generated.
- Copy the consumer URL from Wyebot
- On Okta, head to the General page of your Application’s settings and Edit the SAML settings.
- Paste the consumer URL from Wyebot into the Single sign-on URL box on the Configure SAML page.
- Assign the application to a user and they should be able to log in through their Okta dashboard account.