tech note--configuring okta single sign-on

Tech Note--Configuring Okta Single Sign-On Symantec CloudSOC Tech Note

Tech Note--Configuring Okta Single Sign-On

Copyright statement Copyright (c) Broadcom. All Rights Reserved. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. Broadcom, the pulse logo, Connecting everything, and Symantec are among the trademarks of Broadcom. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. For more information, please visit www.broadcom.com. Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliability, function, or design. Information furnished by Broadcom is believed to be accurate and reliable. However, Broadcom does not assume any liability arising out of the application or use of this information, nor the application or use of any product or circuit described herein, neither does it convey any license under its patent rights nor the rights of others.

2

http://www.broadcom.com/

http://www.broadcom.com/


Table of Contents

Introduction

Configure the CloudSOC token in Okta

Configuring Okta single sign-on in CloudSOC

Configuring CloudSOC to force single-sign-on

Using Okta single sign-on

SP-initiated single sign-on

IDP-initiated single sign-on

Revision history

3


Introduction

This Tech Note describes how to set up Okta as a single sign-on (SSO) provider for CloudSOC. Okta lets your users:

● Sign into CloudSOC using Okta (SP Initiated SSO)

● Access CloudSOC from Okta’s application panel (IDP Initiated SSO)

Perform the following procedures to activate and use Okta as an IDP for your CloudSOC account.

Configure the CloudSOC token in Okta

Follow this procedure to use the Okta console to add CloudSOC as a supported application.

1. Login to Okta using your administrator credentials.

4


2. In Okta, navigate to Applications. In the following figure, there are no applications yet.

In your browser’s address bar, note the base URL as shown in the following. Record the base URL so that you can enter it later when configuring single sign-on in CloudSOC. Make sure you are not recording the admin URL that has a suffix “-admin,” as in “mycompany-admin.okta.com”.

3. Select AP, and then select Tokens as shown in the following.

4. Click Create Token as shown in the following.

5


5. On the Create Token panel, give the token a descriptive name and click Create Token, as shown in the following.

Okta creates a token and shows its token value to you in the Create Token panel.

6. Record the token value for later use, then click OK, got it.

Okta adds your new token to the list of tokens as shown in the following.

6


Configuring Okta single sign-on in CloudSOC

Follow this procedure to configure CloudSOC to recognize Okta as a single sign-on provider.

1. Login to CloudSOC with your sysadmin credentials.

2. On the CloudSOC menu bar, go to the gear icon on the top right corner, then click the

Single Sign-On tab to bring it to the front.

3. From the Single Sign-on Provider menu, select Okta as shown in the following.

4. In the Single Sign-on Provider area, paste the token value you recorded earlier, and type your Okta base URL in the Base Domain box, as shown in the following.

7


5. Click Configure.

6. CloudSOC displays a green banner across the top of the page showing that Okta was successfully authorized.

7. If necessary, log back into Okta and navigate to Applications and make sure that CloudSOC is now listed as an application.

8. Ensure that the value of the NameID in the SAML assertion is the email address of the user. It should match the value of the email attribute in the SAML assertion as shown in the example in the following:

<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">

[email protected] </saml2:NameID>

<saml2:Attribute Name="email"

NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

<saml2:AttributeValue xsi:type="xs:string">

[email protected] </saml2:AttributeValue>

</saml2:Attribute>

8


Configuring CloudSOC to force single-sign-on

You can configure CloudSOC so that cloud service users no longer have the option of authenticating directly with CloudSOC; they can only authenticate with your single sign-on service.

Important: We recommend that you enable this feature only after you confirm that single sign-on is correctly configured and that both IDP-initiated and SP-initiated logins work properly. Otherwise you might be locked out of your CloudSOC administrator accounts.

1. In CloudSOC, go to the gear icon on the top right corner, then click the Single Sign-On tab.

2. Mark the checkbox for Force all users to login through SSO as shown in the following.

Using Okta single sign-on

The following sections describe how your network admins use Okta as an IDP when they login to CloudSOC.

SP-initiated single sign-on

To use Okta to do a Service Provider (SP)-initiated login into CloudSOC:

1. Browse to the CloudSOC login page and click the link for Use Single Sign On.

9


10


2. Enter your email address and click Sign In.

If you have already logged in with Okta, CloudSOC redirects you to the CloudSOC dashboard page.

3. If you have not yet logged in with Okta, CloudSOC redirects you to Okta’s login page. Enter your Okta credentials and login.

11


Okta signs you in and then redirects you to your CloudSOC dashboard, as shown in the following.

IDP-initiated single sign-on

To use Okta to do a Identity Provider (IDP)-initiated login into CloudSOC:

1. Go to Okta and sign in.

12


13


2. In Okta, navigate to the Applications panel and click CloudSOC.

3. Okta Signs you in and then redirects you to your CloudSOC dashboard, as shown in the following figures.

14


Revision history

Date Version Description

2014 1.0 Initial release

29 October 2015 1.1 Minor revisions

7 November 2016 1.2 Add note about UPN claim matching the primary SID claim Clarify NameID in SAML assertion

11 August 2016 2.0 Update procedure for creating the CloudSOC token, address force single sign-on feature

12 December 2018 2.1 Update screenshots and configuration procedure to match Okta UI

15

tech note--configuring okta single sign-on

Documents