Skip to main content

Okta SAML

Overview

Bold Penguin supports a wide variety of SAML 2.0 and OAuth 2.0 identity providers for SSO into the Bold Penguin Terminal.

This is specific documentation for creating a SAML 2.0 SSO link between Okta Single Sign-On and the Terminal. Additional information regarding Okta Single Sign-On is available at the end of this document.

In this document you will:

  • Create the Okta applications necessary for the connection
  • Configure the required SSO (Single Sign On) link for authentication
  • Configure user attributes
  • Map roles to users to connect your environment to Bold Penguin

Create Applications

You will create two new applications in the Okta Admin Console for the Bold Penguin beta and production environments.

  1. In the Admin Console, go to Applications > Applications

  2. Click Add Application

  3. Click Create App Integration to start the Application Integration Wizard

  4. Select SAML 2.0 for the Sign on method

    Add application screen

  5. Click Next

  6. Enter a name for your integration and check the boxes to not display the application icon to users. Bold Penguin currently doesn't support IDP initiated SSO, if users were to use these buttons, login would fail.

    Name application screen

    Optional app logo available here: Download logo

  7. Click Next to switch to the SAML Settings tab

    Configure SAML screen

  8. Use the table below to set the appropriate values for Single sign on URL and Audience URI (SP Entity ID) for each environment

    Production

    • Single sign on URL

      https://boldpenguin-auth.boldpenguin.com/users/auth/saml/callback

    • Audience URI

      https://boldpenguin-auth.boldpenguin.com

    Beta

    • Single sign on URL

      https://boldpenguin-auth-uat.beta.boldpenguin.com/users/auth/saml/callback

    • Audience URI

      https://boldpenguin-auth-uat.beta.boldpenguin.com

  9. Leave Default RelayState blank

  10. Set the Name ID format to EmailAddress

  11. Set the Application username to Email

  12. Your claim needs the following minimum set of attributes:

    URI ReferenceValue
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givennameuser.firstName
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surnameuser.lastName
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddresstoLowerCase(user.email)
    http://schemas.microsoft.com/ws/2008/06/identity/claims/roleappuser.role

    Note: The appuser.role value will not work unless the steps in Configure Roles below are completed.

  13. Click Next

  14. Optionally fill out details to help Okta Suppport then click Finish

    Okta Support

  15. From the Sign On tab of the newly created app Copy the Metadata URL from the SAML 2.0 Metadata details section.

    Metadata screen

  16. Email the metadata URL copied above to your Bold Penguin Project Manager

Configure Roles

  1. Navigate to the Directory > Profile Editor page

  2. Locate and select the Profile for the newly created application. It should have match the patter [ApplicationName] User.

    Profile Editor

  3. Select Add Attribute

    Add Attribute

  4. Set the Display name to Role

  5. Set the Variable name to role

  6. Select Define enumerated list of values

  7. Add the Agent and Principal attribute members as displayed above.

  8. Check Yes to require the attribute

  9. Select Group for Attribute type

  10. Click Save

Assign Users and Roles

Before a user can login they must be assigned to the application and a Role. These roles and permissions will be defined by you and your Project Manager based on our role recommendations.

To assign your integration to users in your org:

  1. Click the Assignments tab in your application.

  2. Click Assign and then select either Assign to People or Assign to Groups.

  3. Enter the appropriate people or groups that you want to have Single Sign-On into your application, and then click Assign for each.

  4. Select a Role from the dropdown.

    Assign Role

  5. For any people that you add, verify the user-specific attributes, and then select Save and Go Back.

  6. Click Done.

Testing

Your Project Manager will confirm receipt of the metadata URLs from your applications above. Once we add these to your tenant, you should be able to login to the Bold Penguin Enterprise Terminal using the dashboard URL for your domain:

https://terminal.boldpenguin.com

When your users first authenticate into Okta, Bold Penguin receives the roles you mapped above in our authentication layer.

Next, you will work with your project manager to add the appropriate permissions for each role or group.

Useful Okta resources