Okta Single Sign-On Example¶

Okta is a provider of identity and access management solutions.

Procedure¶

1. Create an Okta Application¶

Note: Before creating the application, you need to register an account and create your organization on the Okta website.

1) Open the Okta website and log in. Click on the user icon in the top-right corner and select Your Org from the dropdown menu.

2) On the Okta organization page, click Application in the right-hand menu. On the opened page, click Create App Integration.

3) Select SAML 2.0 to create a new application.

2. Configure SAML for the Okta Application¶

Note: This step maps the attributes of the Okta application to Guance properties, establishing a trust relationship between Okta and Guance so they can trust each other.

1) In the General Settings of the newly created application, enter the application name, such as "okta", and then click Next.

2) In the Configure SAML section under SAML Settings, enter the assertion URL and Entity ID.

• Single sign-on URL: Assertion URL, example: https://auth.guance.com/saml/assertion;
• Audience URI (SP Entity ID): Entity ID, example: https://auth.guance.com/saml/metadata.xml.

Note: This configuration is only for obtaining the metadata document in the next step. After enabling SSO single sign-on in Guance, you will need to replace these with the correct Entity ID and Assertion URL.

3) In the Attribute Statements (optional) section of Configure SAML, enter the Name and Value.

• Name: The field defined by Guance, enter Email to associate the user's email from the identity provider (i.e., the identity provider maps the login user's email to Email);
• Value: Enter based on the actual email format provided by the identity provider. For Okta, enter user.email.

Note: This part is mandatory. If not filled out, SSO single sign-on will fail with a login error.

4) In the Feedback section, select the following options and click Finish to complete the SAML configuration.

3. Obtain the Okta Metadata Document¶

Note: This step retrieves the metadata document required to create an identity provider in Guance.

1) Under Sign On, click Identity Provider metadata to view the identity provider metadata.

2) Right-click on the view page to save it locally.

Note: The metadata document is an XML file, such as “metadata.xml”.

4. Enable SSO Single Sign-On in Guance¶

1) Enable SSO single sign-on in Guance workspace Management > Member Management > SSO Management, and click Enable.

Refer to the documentation Create SSO.

Note: For account security, Guance supports configuring only one SSO per workspace. If you have previously configured SAML 2.0, the last updated SAML 2.0 configuration will be considered the final single sign-on authentication entry.

2) Upload the metadata document downloaded in Step 3, configure the domain (email suffix domain), and select the role to obtain the Entity ID and Assertion URL of the identity provider. You can also directly copy the login URL to log in.

Note: The domain is used to map the email domain between Guance and the identity provider to achieve single sign-on. The email suffix domain must match the domain added in Guance.

5. Replace the SAML Assertion URL in Okta¶

1) Return to Okta and update the Entity ID and Assertion URL from Step 2.

Note: When configuring single sign-on in Guance, the assertion URL configured in the identity provider's SAML must match the one in Guance to enable single sign-on.

6. Configure Okta Users¶

Note: This step configures authorized user email accounts for the identity provider created in Guance. Configured Okta user email accounts can log into the Guance platform via single sign-on.

1) Under Assignments > Assign, select Assign to People.

2) Select users who need to log into Guance via single sign-on, such as “jd@qq.com”, and click Assign.

3) Click Save and Go Back to complete the user configuration.

4) Return to Assignments to view the configured Okta users.

7. Log in to Guance Using Okta Credentials¶

1) After SSO configuration is complete, log in via Guance official website or Guance console. On the login page, select Single Sign-On.

2) Enter the email address used to create the SSO and click Get Login URL.

3) Click the Link to open the enterprise account login page.

4) Enter the enterprise common email and password.

5) Log in to the corresponding workspace in Guance.

Note: If multiple workspaces are configured with the same identity provider SSO single sign-on, after logging in via SSO, users can switch between different workspaces by clicking the workspace option in the top-left corner of Guance to view data.