Enable SAML SSO with Okta

Overview

In this article, you'll learn how to set up SAML SSO with Okta, allowing you to:

  • Enable your users to be automatically signed in to MacStadium using their Okta accounts.
  • Manage your accounts in one central location – Okta.

To learn more about SAML app integration with Okta, take a look at this official documentation.

SAML SSO is a paid offering. Contact the MacStadium Support team or your Account Manager to confirm eligibility to enable SAML SSO.

Steps

  1. Save our public signature key below (e.g. save to macstadium-us-east-1_pusi8jHs1.pem)

\-----BEGIN CERTIFICATE----- MIICvDCCAaSgAwIBAgIIdQAHcexaNC4wDQYJKoZIhvcNAQELBQAwHjEcMBoGA1UE AwwTdXMtZWFzdC0xX3B1c2k4akhzMTAeFw0yNDAxMTAxNDEzMThaFw0zNDAxMTAw MDI1MThaMB4xHDAaBgNVBAMME3VzLWVhc3QtMV9wdXNpOGpIczEwggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDiLAh9YbRaJFwq6wODIsJixW9sCPVbO6MR wtSXEqDp1oRuJ//c7DVsytJd3koj1WRtF9+Hg1lvhx9Of+D0l5hjltB4mbeaQpOx cwgdxCepba2OuzxpU4APOCyU++NBfqe3Be+GIkWnbygsYFo5Dq26dFTSzYq/UNam YBTRgPh28k3yv82A2cH96wqwWGuLg52TUc56AGSCAwTCqN5VlwNaMzAuYqxHW2zo tmeLtC9T8q0vS+/UWq/EckR7jV/R4ziyEYB/PWgkZNUnOp0TCYtiuoYdHuqzoazW jhQjil9W0TsUq6k6Vo2ISz+r3XxlXXQMk6blmfJDU7JcMEkPZybhAgMBAAEwDQYJ KoZIhvcNAQELBQADggEBAJ8QzPsFgF/prkw2/qsgfAs0nKJY+zAaIqYSGZlYY4pq pObs0q2O8R3ecsS8e1cpahn4GdstPad69CqgyqPVf7EZm5ZMfUY9s5P7ufDJ3neh /YTp6KX1yHG8PJwJuCPSbB6OxcQirrxOKwsT2tPUMOziYHPQuickpJ7WlxEso3Xj QlcU+F4L8tjhxxF3/T7+fOlzZmivLcBPVx7z+21VoARhJvetoqCqzRccrOitHWye Bma/C6JOtvFq3JPWH0rgmAV6IGhvCSro4ANaToEmK7JYXiOD13DlA44P0l6gV7L8 p5EbQgF1F9eBQpfvL2E3Ml/+ZrXf5zBr5EjSLKvj/NE= -----END CERTIFICATE-----

  1. Open Okta admin

  2. Navigate to “Applications” (Applications → Applications in the left menu)

  3. Create a new “App integration” (click Create App Integration)

    1. Select “SAML 2.0”
    2. Click “Next”
    3. Enter “App name” (e.g. MacStadium-SAML)

  1. Configure the SAML application

    1. Sign-on URL: https://idp.macstadium.com/saml2/idpresponse

      1. Use this for Recipient URL and Destination URL: ✔︎ (make sure it’s checked)
    2. Audience URI (SP Identity ID): urn:amazon:cognito:sp:us-east-1_pusi8jHs1

    3. Click “Show Advanced Settings”

    4. Upload the public certificate (macstadium-us-east-1_pusi8jHs1.pem) from Step 1

    5. Single Logout

      1. Allow application to initiate Single Logout - ✔︎ (make sure it’s checked)
    6. Single Logout URL: https://idp.macstadium.com/saml2/logout

    7. SP Issuer: urn:amazon:cognito:sp:us-east-1_pusi8jHs1

    8. Attribute statements (optional)

      1. Map email to user.email
  2. Complete the setup by pressing “Finish”

  3. Provide our support team the “Metadata URL”