Connect Okta to Identity Authentication

istvanbokor · ‎07-10-2020

In this blog, we will explore how to establish trust between your Identity Authentication tenant and Okta as a corporate identity provider.

Once the connection between your Okta and the Identity Authentication is done, you can simply use it to connect it to several applications and environments.

Prerequisites

You have an active license for Identity Authentication.

Manage Applications and Manage Corporate Identity Providers authorizations are assigned to you as Administrator in IAS.

You have access to the Okta Admin portal.

Step 1: Log in to the Okta admin portal and create the SAML 2.0 application

Log in to the Okta admin portal by going to https://login.okta.com/ and provide your credentials.

Click on the 'Use single sign on' - 'Add App' option.

Note: in Okta there is no predefined Identity Authentication application, you have to create and configure it manually.

For more information about configuration on the Okta side, refer to official Okta documentation: Create a SAML integration using AIW (Application Integration Wizard).

In the 'New Application Integration' tab choose Web as the platform, and SAML 2.0 as sign on method:

As the last part of the application creation, you can define a custom application name, logo, and visibility. Finally, click the Next button.

Step 2: Create SAML Integration in Okta

In this step, you have to fill in the SAML settings taken from Identity Authentication. Please pay special attention to all steps taken in this part.

Single sign on URL:

To get URL value, follow steps:

Open Identity Authentication (IAS) Administration Console: https://<tenantid>.accounts.ondemand.com/admin

Navigate to the 'Tenant Settings' tile. Click on 'SAML2.0 Configuration'.

Copy 'Assertion Consumer Service Endpoint' (ACS endpoint) URL.

After copy-pasting the URL, tick the 'Use this for Recipient URL and Destination URL' option.

*This is for SP-initiated SSO. If you'd like to use IdP-initiated SSO, construct the above 3 URLs like below:

https://<the current ACS endpoint URL>?sp=<sp_name>&index=<index_number>

Request the Entity ID of the service provider, and the index of the application's protected page from the tenant administrator of Identity Authentication.

The index is required.

On Okta it is possible to set both URLs (Allow this app to request other SSO URLs).

Audience URI (SP Entity ID):

This has to be identical to the 'Name' value of your IAS tenant.

To get the URL, follow steps:

Open IAS Administration Console: https://<tenantid>.accounts.ondemand.com/admin

Navigate to the 'Tenant Settings' tile. Click on 'SAML2.0 Configuration'.

Copy value of the 'Name' field.

Note: Make sure the audience matches exactly as described in KBA 2693814 - Service Provider does not match the specified audience in the SAML2Assertion.

Default RelayState should be empty.

Leave further SAML settings default as well unless there are different requirements.

Step 3: Download Identity Provider metadata file from Okta

In Okta navigate to the 'Sign On' tab, then click the 'Identity Provider metadata' hyperlink to download the metadata in .xml format.

Step 4: Configure trust in the Identity Authentication tenant

In this scenario, the Identity Authentication acts as a proxy to delegate the authentication to the corporate identity provider. For more information check our official SAP documentation: Configure Trust with Corporate Identity Provider.

To use Identity Authentication as a proxy to delegate authentication to an external corporate identity provider you have to configure trust with that corporate identity provider.

To configure trust with the corporate identity provider, follow the procedures below:

Import the downloaded Okta metadata (from Step 3) into Identity Authentication:

Open IAS Administration Console: https://<tenantid>.accounts.ondemand.com/admin

Navigate to 'Corporate Identity Providers' in the submenu of 'Identity Providers'.

Add Identity Provider with a custom name.

Choose SAML 2.0 Configuration and import metadata:

Now almost all the required details are filled in:

Configure HTTP-POST Single Logout Endpoint URL with the same value set for the 'Name' value in IAS:

Save the configuration:

As a tenant administrator, you can specify a link that is sent as an extension in the SAML 2.0 Logout Response. The link can be used by the application to redirect the user after successfully logging out of the application when Identity Authentication acts as an identity provider proxy. See our official documentation: Service Provider Initiated Logout with Corporate Identity Providers.

Navigate to the 'Trust' tab and choose the 'Logout Redirect URL' option. Define the desired URL where you want to redirect end-users after successful logout:

Step 5: Connect your application to use Okta as the identity provider

In the Administration Console of your IAS, navigate to 'Applications & Resources' then click on the 'Applications' tab and configure an application or choose an existing one.

Option A: Click on the 'Conditional Authentication' option on the 'Trust' tab of your application. Set your Okta as 'Default Identity Provider'.

For more information see our official documentation: Choose a Corporate Identity Provider as Default.

Option B: Set 'Trust all corporate Identity Providers' on. In this case, you should define Conditional Authentication to redirect users to Okta.

For more information see: Configure Conditional Authentication for an Application

Summary

After following the above steps, your application should use Okta as a corporate identity provider, and in this case, IAS is acting as a proxy.

Hint: If you are facing issues during configuration, you can download the Troubleshooting logs from your IAS tenant to self-investigate the root cause of the issue. See KBA 2942816 - How to export troubleshooting logs from Identity Authentication.

Also, we advise checking the IAS Guided Answers about the most common issues: KBA 2701851 - Identity Authentication (IAS) - Guided Answers.

srini2492 · ‎07-23-2020

Thanks for the blog!!! ?
One question, instead of manually updating the details on Okta site, can't we download the IAS metadata XML and upload it in Okta?

istvanbokor · ‎07-23-2020

Unfortunately, I could not find this possibility. There are predefined applications in Okta, but there is no such application for SAP Identity Authentication Service, therefore I could not do the configuration easier, only with manual steps.

srini2492 · ‎07-24-2020

Got it ?, thanks for the reply!!!

ErvinSzolke · ‎07-24-2020

Great Blog, Istvan!

arun_santhanam3 · ‎08-03-2020

Nice & Informative blog.

SAPSF6 · ‎08-12-2020

Thanks Istvan,

Very helpful document

former_member94288 · ‎09-09-2020

Hello Istvan,

Can you please let us know how are the user creation done in SAP IAS. As employees getting hired and separated, how can this be managed.

istvanbokor · ‎09-10-2020

Hi peycpidev,

Could you please explain your question a bit more detailed? Thank you

Regards,
István

samadhan_pawar · ‎10-19-2020

Hi Istvan,

This really good blog, very helpful.

WE are in the process of implementing SSO for SAP Cloud for Customer C4C Marketing tenant with OKTA.

As Marketing tenant comes up with default SAP IDP, can we use this same method for setting up SSO with Marketing tenant.

Please advice which doc we need to follow if not the above one.

Your help is much much appreciated.

Thanks a lot in advance !!!!

Regards,

Samadhan

istvanbokor · ‎11-03-2020

Hi Samadhan,

I advise checking this with SAP Cloud for Customer C4C Marketing team if they have such options to change the default SAP ID Service to custom IAS tenants.

From the IAS perspective we support such scenarios, where the trust/metadata can be exchanged.

Kind regards,
Istvan

former_member4746 · ‎11-27-2020

Istvan,

Nice blog.

We have SAP Analytical Cloud (SAC), and SAP Cloud for Customer C4C Marketing.

Our IDP is OKTA. I have established the SSO between SAC, OKTA using SAML2. Also backend SAP Systems are also enabled using OKTA.

I have following questions.

Option 1# We can implement SSO to each SAP cloud tenant to OKTA

Option 2# We can have have SSO to SAP IAS to OKTA, then each SAP cloud tenant to SAP IAS

We did not buy “SAP Cloud Platform Identity Authentication” to implement SAML for Single-sign-on. It is not one time purchase. It is consumption model. The cost will $3.9 unit/month (one unit = 100 Logon requests).

Is the price is going to be the same or different? If this is one time cost, and not consumption model, I will be very much interested.

Can you please help?

yaotian_zhang · ‎12-03-2020

thanks a lot!

One of our customer want to make the Group mapping between the SCP and OKTA.

Just need to add the bellow item under "GROUP ATTRIBUTE STATEMENTS (OPTIONAL)"

then Goto sub-account Security->Trust page to configure the "Role Collection Mappings"

JM1 · ‎10-26-2021

Hi istvan.bokor

Amazing blog, it was the main source that we have to configure the SSO between SF and OKTA.

I had the following issue while reproducing your guide and I'd like to share it and know your opinion about it:

During step 2 in OKTA we need to complete the Single Sign On URL and you mentioned this URL is retrieved from here

IAS - Application & Resources - Tenant Settings - SAML2.0 Configuration - ACS endpoint

But this URL gives me an configuration error when the user tries to login in SuccessFactors

The URL that is correct is the one that I retrieved from here

IAS - Application & Resources - Applications - SuccessFactors instanceID - ASC Endpoint

Do you know why?

Regards

istvanbokor · ‎10-27-2021

Hello,

Thank you for your nice words.

This guide is to connect IAS with Okta. If you are using SuccessFactors this is valid once you have done the Upgrade, so in your SFSF the IAS is the IdP.

If you have not run yet the Upgrade, and in your SSO Settings at SFSF Provisioning there is something else than IAS, then the guide "Connect Okta to IAS" is not valid for you.

Best regards,
Istvan

JM1 · ‎10-27-2021

Hi Istvan,

Thanks for the timely reply! I'm using IAS as my identity provider, we've never used the provisioning SSO so this guide is perfect for us because we're migrating everything to OKTA. We've made successfully connect OKTA and IAS using SSO but with this small change that I mentioned which is changing the ASC url

Do you know why this URL works and the one you mentioned it's not?

Thanks!

istvanbokor · ‎10-27-2021

Hi,

I can't comment on this without seeing the details.

If you wish privately via e-mail you can send me more details, like your IAS URL, SF company ID.

Thank you,
Istvan

alec_treutler · ‎11-24-2021

Hi Istvan,

Super clear Blog. Thank you for this!

Quick question though, I have followed the instructions and I am getting redirected correctly to OKTA for authentication, but once authenticated I get the following error:

Identity Provider could not process the authentication request received. Delete your browser cache and stored cookies, and restart your browser.

I tried doing this in Incognito mode as well but am still getting the error.

I am trying to use OKTA as a SSO method, using IAS as a Proxy IDP to an Application running on the BTP.

Kind regards

Alec

istvanbokor · ‎11-24-2021

Hi,

I would suggest you to check the IAS Troubleshooting log, which is usually more descriptive: https://<; tenantID >.accounts.ondemand.com/admin/#/troubleshootingLogs

Best regards,
István

alec_treutler · ‎11-24-2021

Thank you for the quick reply!

The log was still cryptic but lead to a resolution.

Kind regards,

Alec

istvanbokor · ‎11-24-2021

Oh, that's good to hear it helped to resolve the issue. 🙂

Regards,
István

xudonny · ‎11-25-2021

Hi Istvan,

Nice and clear. It works with my trial Okta account.

For curiosity, when we setup IAS with BTP subaccount, we build a bi-directional trust. We exchange both metadata files and import. Here we only import Okta into IAS. I know actually we can configure them manually instead of importing, but in Okta we didn't configure such Certificate etc.

Do you know what's technical cause for the difference? Thanks.

Best regards,

Donny

istvanbokor · ‎11-25-2021

Hi Donny,

This is a limitation on the Okta side, that Okta does not provide metadata import functionality, I from the SAP side cannot comment 3rd party products.

Best regards,
István

xudonny · ‎11-25-2021

Hi István,

Thanks for sharing. Anyway it works without issue.

Donny

himmohanty · ‎12-01-2021

Hi Istvan,

Very nice blog..

We are having similar requirement in project i.e, configuring IAS as proxy to Corporate IDP (Okta) however with objective to get user authenticated w.r.t its Employee ID in Corporate IDP instead of Email id.

Is there a way to address this ?

Regards
Himanshu

istvanbokor · ‎12-02-2021

Hello,

You can check the steps on Okta side: https://developer.okta.com/docs/guides/build-sso-integration/saml2/main/#specify-your-integration-se...

Best regards,
István

Abhi_Sikenpore · ‎12-21-2021

Hi istvan.bokor , great blog!

I do have a question, if we keep the relay State blank while configuring on Okta Side, then SSO users trying to access SuccessFactors via SP initiated link gets the below error.

The RelayState '' [#####] is invalid. It must start with '/' or be a valid URL and from a safe domain

But if the same user logs in via IDP initiated link, the user gets in seamlessly.

Do you know what could be the issue and what would be the relay state value that should be added to the Okta for this to work with SP initiated route?

Thank you in advance.

Abhi

istvanbokor · ‎12-22-2021

Hello,

If you want to use both SP and IdP initiated SSO, you need to add both ACS endpoints to Okta, as it is stated in my blog:

Single sign on URL:

To get URL value, follow steps:

Open Identity Authentication (IAS) Administration Console: https://<tenantid>.accounts.ondemand.com/admin

Navigate to the ‘Tenant Settings’ tile. Click on ‘SAML2.0 Configuration’.

Copy ‘Assertion Consumer Service Endpoint’ (ACS endpoint) URL.

After copy-pasting the URL, tick the ‘Use this for Recipient URL and Destination URL’ option.

*This is for SP-initiated SSO. If you’d like to use IdP-initiated SSO, construct the above 3 URLs like below:

https://<the current ACS endpoint URL>?sp=<sp_name>&index=<index_number>

Request the Entity ID of the service provider, and the index of the application’s protected page from the tenant administrator of Identity Authentication.

The index is required.

On Okta it is possible to set both URLs (Allow this app to request other SSO URLs).

Best regards,
István

Abhi_Sikenpore · ‎12-22-2021

Hi istvan.bokor -

Thank you for that information. I will check with the Okta team and see if we can make this work.

With having two URLs ( one for IDP initiated and one for SP initiated) do we still need a Default Relay State populated? Or that could be blank?

Regards,

Abhi

zameer0448 · ‎03-14-2022

Hi Istvan,

Thanks for the detailed blog.

I have follow up question. Can we configure as 3rd Party/Custom IDP as OKTA IDP for the SAP Subaccounts(Cloud Foundry) instead of SAP IAS system work as proxy to delegate the authentication to the corporate identity provider.

Advantage of using OKTA as corporate identity provider by using IAS?

Only the advantage I feel is, we can send custom attributes and values are available in IAS to the application.

Please let us know if we have any documentation to configure OKTA as custom IDP to cloud foundry subaccount, instead of using as proxy server?

Thanks and Regards

Zameer Ahamad

NataTabidze · ‎11-21-2022

Hi Istvan,

Can you clarify the following questions that we are facing:

Are all IAS users affected by OKTA if we integrate it into IAS? Is there any possibility of specifying the users we want to be involved with? If yes, then How? Maybe you can advise additionally, because that blog does not say anything about that.

Can OKTA be used for only one chosen SAP tenant and not all connected to IAS? For example - The development tenant only, for OKTA-IAS integration testing purposes (Step 5 in the Blog).

Thank you in advance,

Nata

istvanbokor · ‎11-21-2022

Hi,

Are all IAS users affected by OKTA if we integrate it into IAS? Is there any possibility of specifying the users we want to be involved with? If yes, then How? Maybe you can advise additionally, because that blog does not say anything about that.

> You can use either Conditional Authentication, so a specified part of users is redirected to IAS, and others to Okta, or you can use a unique URL for IAS users, the default URL for Okta users as per this docu.

Can OKTA be used for only one chosen SAP tenant and not all connected to IAS? For example - The development tenant only, for OKTA-IAS integration testing purposes (Step 5 in the Blog).

> What does SAP tenant mean here?

Best regards,
Istvan

NataTabidze · ‎11-25-2022

Hello Istvan,

Thank you for your reply!

"Tenant" means the Development, Customizing, Test and Production systems - the same as applications (we run a 3-tier landscape of S/4Hana public cloud).

BR,
Nata

dalmada · ‎06-21-2023

Hi, is there a way to enable SSO for SAP GUI with Okta? We don't have AD and we are already using SSO with Okta via Fiori. Thanks, Daniel.

sharanabasappa · ‎07-11-2023

Hello Everyone,

Please remember, The integration between the OKTA and CBC Based S/4Hana Cloud System users will not be able to log in to S/4Hana System if Conditional Authentication is added with OKTA (Error Client, Name, or Password is not correct; Log on Again) if we set Name ID format to Unspecified in step 2 (Refer attachment).

So to resolve this problem we have to set this to Email instead of Unspecified. The reason is Default Name ID format in the S/4 IAS side is set to Email.

Thanks

Sharan

keyur_p · ‎08-09-2023

Hello Istvan,

Amazing blog!

I have similar use case where we have OKTA as our corporate identity. We have a SAML connection between OKTA and SAP BTP Subaccount. We are not using IAS here.

Whenever we add a User to OKTA group, we expect to create a proxy User on SAP BTP Subaccount. Currently, User have to login to the application URL to create a proxy User on SAP BTP Subaccount. Do we have an option when user is assigned to OKTA group, proxy user should be created on SAP BTP Subaccount?

Thanks,

Keyur P