Skip to main content

Setting Up 1Kosmos as an Identity Provider

You can configure Okta as a service provider (SP) in addition to using it as an identity provider (IdP). When Okta acts as a service provider, it integrates with an external Identity Provider using SAML.

Configuring SAML

To configure SAML, you must perform the following tasks:

Adding a SAML Identity Provider

To add SAML as an Identity Provider, follow these steps:

  1. In the Admin Console, navigate to Security > Identity Providers.

  2. Click Add identity provider, and then select SAML 2.0 IdP.

  3. Click Next.

  4. Configure the General Settings options.

    FieldDescription
    NameEnter a name for the IdP.

  5. Configure the Authentication Settings options.

    FieldDescription
    IdP UsageSelect an authentication method. The following values are available to select:
    - SSO only - Use this option for the single sign-on.
    - Factor only - Use this option for multi-factor authentication.
    Account matching with Persistent Name IDSelect the Use Persistent Name ID (Higher Security) check box to determine the associated user account by matching the Name ID with the External ID. If no match is found, Okta uses the IdP username value for account matching.

  6. Configure the Account matching with IdP Username options.

    FieldDescription
    IdP usernameSelect the entity in the SAML assertion that contains the username.
    FilterSelect the Only allow usernames that match defined RegEx Pattern check box if you want to enter an expression as a username filter.
    Match againstSelect the user attribute to match against the IdP username.
    Account link policySelect the Enable automatic linking check box to automatically link the user's IdP account with a matching Okta account.
    IdP Issuer URIEnter the issuer URI from the IdP.
    IdP Single Sign-On URLEnter the sign-on URL from the IdP.
    IdP Signature CertificateUpload the certificate from the IdP that's used to sign the assertion. Click Browse files, select the certificate file, and then click Open.
    Request BindingSelect the appropriate SAML Authentication Request Protocol binding that Okta uses to send SAML authorization request messages to the IdP.
    Request SignatureSelect the Sign SAML Authentication Requests option to sign the SAML authorization request messages sent by Okta. If this option is selected, Okta will automatically send the authorization request to the URL specified in the IdP Single Sign-On URL field.
    Response Signature VerificationSelect the type of response signatures that Okta will accept when validating incoming responses. The following values are available to select:
    - Response
    - Assertion
    - Response or Assertion
    Response Signature AlgorithmSelect the signature algorithm that Okta uses to validate the SAML messages and assertions that it receives from the IdP.
    - SHA-1
    - SHA-256
    DestinationEnter the destination attribute that Okta includes in the SAML authorization request.
    Okta Assertion Consumer Service URLSelect an option to specify whether to use a trust-specific assertion consumer service (ACS) URL or one that is shared across the organization. The following values are available to select.
    - Trust-specific
    - Organization (shared)
    Max Clock SkewSpecify the duration for how long the assertion remains valid.

  7. Click Finish. After creating an IdP, click Download metadata to access the Okta SAML metadata for the 1Kosmos provider.

Configuring Identity Provider Routing Rules

You can configure routing rules for each identity provider or for different combinations of user criteria.

To configure the routing rules, follow these steps:

  1. In the Admin Console, navigate to Security > Identity Providers.

  2. On the Routing Rules tab, click Add Routing Rule.

  3. Enter a Rule Name.

  4. Configure the routing conditions.

    FieldDescription
    IF User’s IP isSelect a network zone.
    AND User’s device platform isSelect the device that can be used for configuring rules.
    AND User is accessingSelect the type of application the user should access.
    AND user matchesSelect the login attributes that the user should match.
    THEN Use this Identity providerSelect the IdP to be used when all the conditions are met.

  5. Click Create rule and then indicate whether you want to activate the rule immediately.

  6. To activate the rule, click Activate.

Configuring Applications on 1Kosmos

You can use one of the following methods to configure Okta applications with 1Kosmos.

Configuring Applications Using SAML 2.0 Generic

To add new applications, follow these steps:

  1. Log in to the 1Kosmos tenant as a community administrator.

  2. Navigate to Applications > Add Applications.

  3. In the Saml 2.0 Generic tile, click Add Integration.

  4. In the wizard page that is displayed, click Add Application.

  5. In the Basic Settings section, specify the application name, its URL and the instance to which the configuration is applicable, and then click Next.

  6. In the SAML Settings section, navigate to the Assertion Statement (NameID)* section, select the format of the nameid and its value, and then click Next.

  7. In the Advanced Options section, specify the entity id and the Assertion Consumer Service (ACS) details; click Save.

Configuring Applications Using Okta Integration (Prebuilt)

To configure applications using Okta, follow these steps:

  1. Log in to the 1Kosmos tenant as a community administrator.

  2. Navigate to Applications > Add Applications.

  3. In the Pre-built integrations section, click Add integration under the Okta tile.

  4. In the Okta page that is displayed, enter the application name, service provider name, and the Okta Api token, and then click Connect. The added application is displayed on the home page of Manage applications.

    note

    You can use the Okta API token link located under the Before we begin section on the Okta page to generate a token.

Testing the Integration

To test the integration, follow these steps:

  1. Open the application URL.

  2. You will be redirected to the 1Kosmos Login page.

  3. Use the 1Kosmos app to scan the QR code. You will be redirected to the landing page of the Okta application.