Using Okta to Authenticate to Certero (WS-Fed)
Certero supports Federated Authentication as a method of authentication. Some customers use Okta to authenticate to Active Directory. In this scenario Okta can be used as a source of authentication to Certero.
Step 1 - Create the New Application in Okta
Create a new application in Okta using the Template WS-Fed. Give the application a label e.g. Certero. Add the following settings to the application. N.B. the exact value for:
https://<Certero Server>/CerteroWebApp/Account/LogonFederated
can be taken from the Active Dir
ectory Connector in Certero
Field | Setting |
Application Label | Certero |
Web Application URL | https://<Certero Server>/CerteroWebApp/Account/LogonFederated |
Realm | https://<Certero Server>/CerteroWebApp/Account/LogonFederated |
Reply to URL | https://<Certero Server>/CerteroWebApp/Account/LogonFederated |
Allow Reply to Override | Unchecked |
Name ID Format | EmailAddress |
Audience Restriction | https://<Certero Server>/CerteroWebApp/Account/LogonFederated |
Assertion Authentication Context | Password |
Group Attribute Name | http://schemas.microsoft.com/ws/2008/06/identity/claims/role |
Group Attribute Value | windowsDomainQualifiedName |
Group filter |
|
Username Attribute Statements | UPN |
Custom Attribute Statements | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name|${user.userName}| |
Signature Algorithm | RSA_SHA256 |
Digest Algorithm | SHA256 |
Application Visibilty | Values unticked |
Provisioning | Box unticked |
Auto-launch | Box unticked |
Application Notes | Optional |
VPN Required Notification | Disabled |
App Embed Link | This value will be set by Okta |
Application Login Page | Use the default organization login page |
Application Login Page | Use the error page setting on the global settings page |
Step 2 - Change the Authentication in Certero
Go to Connectors > Active Directory
Edit the connector and click on the Authentication tab.
Select Federated Authentication
In the Sign-On Endpoint enter the value displayed in the App Embed Link in the Okta application e.g. https://<organisation>.okta.com/app/template_wsfed/<GUID>/sso/wsfed/passive
Step 3 - Test the Authentication
N.B. you must ensure that your Active Directory user account is configured for Login in Certero. Go to Administration > Logins and check that your Active Directory user account has a login either directly assigned or via Active Directory Group Membership.
To test the authentication:
Go to the Certero login screen
Do not login
In the Domain drop down select the Domain in the list you are going to use for Okta
Click Login
This should send you to the Okta authentication (N.B. it may pass through automatically using your cached credentials)