Additional configuration details for using OKTA for SSO


*Note* If you are experiencing errors when logging into SafeConsole using Okta SSO please see the bottom of this KB article for tips. 


Most SSOs have a similar setup but OKTA does require a few more steps.


If you need in-depth support beyond the instructions below, please email support@datalocker.com to receive a quote from the Professional Services team regarding assistance with your specific environment. 


SSO Integration with SafeConsole 5.3+

https://support.datalocker.com/a/solutions/articles/4000126687


Assertions

In regards to the SSO URL, this should correspond with the assertion example from the KB article above. Please keep in mind that this link will need to be adjusted to fit whatever your SafeConsole server site is.


Example:

https://example.safeconsolecloud.com/safeconsole/sso-login/acs


Entity ID

The Entity ID can be named whatever you would like, however, the Entity ID in SafeConsole must match the entry in OKTA. (OKTA refers to this as the Audience ID)





We recommend using SafeConsoleSSO as the Entity ID in both SafeConsole and OKTA.


SLO Endpoint


The SLO endpoint will use the SLO endpoint's URL.


Example:  https://example.safeconsolecloud.com/safeconsole/sso-login/acs






Integrating an OKTA User Into an Approved Group for SafeConsole Login Access (administrator, manager, support)


A custom attribute must be created within the profile editor for the OKTA Users (Default) of the connector.

*NOTE* with the release of SafeConsole 5.6, SafeConsole supports linking to custom role based groups. 


Within the OKTA configuration window:


 - Select 'Add Attribute'.







- Ensure that you set your attribute settings to match the screenshot below.






Once you have saved the profile attribute, you will need to add the corresponding attribute in your SAML settings if necessary. 

 


-From the General Tab of your SafeConsole application select edit under the SAML heading






-Step through to General Settings, to Configure SAML and scroll down to Attribute Statements






- Set the Attribute settings if necessary

- Optional: use values such as "ADMINISTRATOR" instead of user.memberOf






Now that you have your Attributes created, the next step is to apply the correct roles for your Admins



-Select People from your left menu

-Locate the user you want to add the atribute too

-Click on the user's name and navigate to the profile section

-Click Edit and edit the custom attribute 




-Apply the role you would like to the user, repeat for each user.

    Note: The default roles for SafeConsole are:

  • SUPPORT
  • MANAGER
  • ADMINISTRATOR



Troubleshooting tips with Okta

If you get a login error when trying to login into SafeConsole using OKTA SSO. 

Here are troubleshooting steps to try.


 Attempt to Force a Re-Sync of Okta and SafeConsole. 


1. Log into Okta:

  • Change the user memberOf attribute within OKTA system to ADMINISTRATOR
  • Try to login with SafeConsole SSO
  • Change the memberOf attribute back to ADMINISTRATOR
  • Login with SafeConsole SSO
  • If still not able to login, change the memberOf attribute to system_admin
  • Login with SafeConsole SSO


2. Check to see if the Entity ID contains any special character and remove them.  

  • Make sure the Entity ID matches in both SafeConsole and Okta 

3.  The SafeConsole Account Owner is always able to Login with email and password.

  • Have the Account Owner/Primary Admin log and turn the delete the SSO setting and save. 
  • Reconfigure the OKTA settings within SafeConsole and save.