Use Okta for SSO authentication

Use Okta for single sign-on (SSO) authentication with SAML 2.0 so members of your organization can sign in to Kobiton with their Okta credentials.

Get Kobiton parameters

First, you’ll need to save a copy of your Kobiton SSO attributes so you can easily add them to your IdP later.

Select your profile name or picture, then choose Settings.

Select your profile name and select Settings

Choose SSO Settings.

SSO settings page

From Basic configuration, copy the following values and save them to a note:

  • Entity ID (or Audience URL)

  • Reply (or SSO, or ACS) URL

Basic configuration step in SSO settings

From User attributes (or parameters), copy the following values and save them to a note:

  • email

  • firstName

  • lastName

  • phoneNumber

  • memberOf

User attributes or parameters step in SSO settings

Later you’ll finish configuring your Kobiton SSO settings so keep this browser window open.

If your IdP sends these attributes under different names, you can map them instead of changing your IdP. See Configure custom SAML attribute mappings.

Create an IdP application

In Okta, select Admin.

The Admin button in Okta home page

Okta may ask you to sign in again.

In the Admin Console, select Applications, then select Applications from the submenu.

Select Create App Integration.

The Applications page with the Create App Integration option

In the Create a new app integration window, select SAML 2.0, then select Next.

In General Settings, enter an App name. Optionally, add a logo to customize your sign-in portal. Then select Next.

Configure SAML settings

In the Configure SAML Integration window, use your Kobiton SSO parameters to fill the following fields.

In Single sign-on URL, enter the Kobiton reply URL.

Example
https://api.kobiton.com/v1/users/sso/saml/callback

For Audience URI (SP Entity ID), enter the Kobiton entity ID.

Example
https://api.kobiton.com/v1/users/sso/saml

For Default RelayState, enter the value from the Kobiton SSO basic configuration.

Example
{"domainName": "Kobiton"}

Select Next.

On the feedback page, select an App type.

For internal apps, select This is an internal app that we have created.

Answer any optional feedback questions, then select Finish.

Okta opens the app configuration page.

Configure sign-on attributes

On the Okta app configuration page, select the Sign On tab.

In the SAML 2.0 section, expand Show legacy configuration to display the attribute statement settings.

Expanded view of the legacy configurations panel

In Profile attribute statements, add the following attributes. For each row, enter the name into Name, select Basic from the Name format drop-down list, and select the corresponding value from the Value drop-down list.

Name Name format Value

email

Basic

user.email

firstName

Basic

user.firstName

lastName

Basic

user.lastName

phoneNumber

Basic

device.trusted

In Group attribute statements, add the following attribute. For Filter, select Matches regex from the drop-down list and enter .* in the adjoining field.

Name Name format Filter

memberOf

Basic

Matches regex .*

Each name and value must match the corresponding attribute in your Kobiton portal SSO settings tab exactly. Select Copy next to each attribute in the Kobiton portal to copy the value to your clipboard.

All required attribute values mapped

Select Save.

Optionally, select Preview the SAML assertion to review it before continuing.

Get Okta IdP values and certificate

On the Sign On tab, go to the About section to the right of the Settings panel, then select View SAML setup instructions.

“Select Download certificate for the Okta SAML signing certificate”

From the setup instructions page, copy and save the following values:

  • Identity Provider Single Sign-On URL

  • Identity Provider Issuer

  • X.509 Certificate

Use these values when you configure the Okta IdP settings in Kobiton:

Kobiton field Okta value

Identity provider sign in URL

Identity Provider Single Sign-On URL

Identity issuer URL

Identity Provider Issuer

Identity provider sign out URL

Use the same value as Identity Provider Single Sign-On URL, unless your organization uses a separate sign-out URL.

Identity provider certificate

X.509 Certificate

The Identity provider sign out URL is optional. If your organization does not provide a separate sign-out URL, use the same URL as the Identity provider sign in URL.

The optional IdP metadata XML contains the same Okta IdP configuration in a machine-readable format. If the setup instructions page provides the IdP values separately, use those fields instead of manually parsing the XML.

To download the certificate file, return to the Okta app configuration page. On the Sign On tab, go to the SAML Signing Certificates section. Under Actions, select Download certificate.

“Select Download certificate for the Okta SAML signing certificate”

Assign users

Assign users in Okta so they can sign in to Kobiton through SSO. Each user’s Username in Okta must match the email address on their Kobiton account exactly.

On the Okta app configuration page, select the Assignments tab.

Select Assign, then select Assign to People.

In the people list, select Assign next to the user’s Okta account.

In the assignment window, confirm the Username field contains the user’s Kobiton account email address. If it doesn’t, enter the email exactly as it appears in Kobiton.

Select Save and Go Back, then select Done.

The assigned user appears in the Assignments panel.

To assign additional users, select Assign again and repeat these steps.

To confirm a user’s Kobiton account email, check the Kobiton portal.

Add IdP parameters and certificate to Kobiton

Now, you’ll need to add your IdP parameters and certificate to your Kobiton organization. In your SSO Settings, scroll down to Set up at Kobiton side.

Scroll down to step Set up at Kobiton side

Add your IdP parameters and certificate to the following:

  • Identity provider issuer

  • Identity issuer URL

  • Identity provider sign in URL

  • Identity provider sign out URL (optional)

  • Identity provider certificate

    The Identity provider certificate must be a .pem file. If the certificate downloaded from the IdP has a different file extension (such as .cert), rename it to .pem before uploading.

See the below mapping table for which value to use for each parameter above.

Field name Value mapping

Identity provider issuer

Okta

Identity issuer URL

Audience URI (SP Entity ID)

Identity provider sign in URL

Single sign on URL

Identity provider sign out URL (optional)

Verify and save configuration

Make sure you have created an account with the same email as the currently logged in Kobiton account and assign the new SAML application to that user on the IdP side before continuing.

Select Verify to test your SSO configuration.

The Verify button under Verify Configuration

The system will open a new browser tab to the SSO login page. In this new tab, log in using the account that has the same email as the current Kobiton account.

If logged in successfully, go back to the previous browser tab with the SSO Settings opened.

Wait for a while for the SSO Settings page to automatically reload (do not force reload the page) and a success message displays like the below:

The success message under Verify Configuration

After receiving the success response, select Save to complete your SSO configuration.

After verifying and saving the configuration, you can turn on Enforce users to login to Kobiton only through SSO to force the users to log in only via SSO (optional).

When SSO login enforcement is turned on:

  • You can add existing users to be exempted from the SSO login enforcement by adding the username into the Choose users who are allowed to login without SSO field.

    The list of users that are exempted from the enforcement list when SSO enforcement is enabled

  • You also gain access to Specify Organization Access Restrictions with the ability to enable Pass role/team assignments to users in the SAML validations. Choose the method that’s best for your organization.

    The Specify Organization Access Restrictions step in SSO settings