Orchestrator user guide

Configure Okta to Recognize a New Orchestrator Instance​

1. Log in to Okta. The following setup is made in Classic UI view. You can change it from the drop-down on the top-right corner of the window.

   Figure 1. Classic interface

   

2. On the Application tab, select Create New App. The Create a New Application Integration window is displayed.

3. Choose SAML 2.0 as sign-on method and select Create.

   Figure 2. Create new application integration window

   

4. For the new integration, on the General Settings window, enter the application name.

5. On the SAML Settings window, fill in the General section as per this example:

   • Single sign on URL: The Orchestrator instance URL + /identity/Saml2/Acs. For example, https://orchestratorURL/identity/Saml2/Acs.
   • Enable the Use this for Recipient URL and Destination URL check box.
   • Audience URI: https://orchestratorURL/identity
   • Name ID Format: EmailAddress
   • Application Username: Email
     Note:

     Whenever filling in the URL of the Orchestrator instance, make sure it does not contain a trailing slash. Always fill it in as https://orchestratorURL/identity, not https://orchestratorURL/identity/.

6. Select Show Advanced Settings and fill in the Attribute Statements section:

   • Set the Name field to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress and select user.email from the Value drop-down.

     Figure 3. Attribute statements (optional) section

     

7. Download the Okta certificate.

8. In the Feedback section, select the option that suits you and select Finish.

9. On the Sign On tab, in the Settings section, select Setup Instructions. You are redirected to a new page containing the instructions required to complete your Orchestrator configuration for SAML 2.0: Identity Provider Sign-On URL, Identity Provider Issuer, X.509 Certificate.

   Note:

   If, for any reason, the information about the identity provider is lost, you can, at any point, visit Sign On > Settings > View Setup Instructions.

Assigning People to the Application​

1. Log in to OKTA.

2. On the Application page, select the newly created application.

3. On the Assignments tab, select Assign > Assign to People and then select the users to be given the necessary permissions.

   Figure 4. Assign Orchestrator25 to people window

   

4. The newly added users are displayed on the People tab.

Set Orchestrator/Identity Server to Use Okta Authentication​

1. Define a user in Orchestrator and have a valid email address set on the Users page.

2. Import the signing certificate:

   • For Windows deployments, import the signing certificate provided by the Identity Provider to the Windows certificate store using Microsoft Management Console.
   • For Azure deployments, upload the certificate provided by the Identity Provider from in the Azure portal. (TLS/SSL settings > Public Certificates (.cer) > Upload Public Key Certificate). Refer to Frequently Encountered Orchestrator Errors to adjust your web app configuration if you are unable to use OKTA authentication and encounter the following error message: An error occurred while loading the external identity provider. Please check the external identity provider configuration.

3. Log in to the Management portal as a system administrator.

4. Go to Security.

5. Select Configure under SAML SSO:

   The SAML SSO configuration page opens.

6. Set it up as follows:

   • Optionally select the Force automatic login using this provider checkbox if, after the integration is enabled, you want your users to only sign in through the SAML integration.
   • Set the Service Provider Entity ID parameter to https://orchestratorURL/identity.
   • Set the Identity Provider Entity ID parameter to the value obtained by configuring Okta authentication (refer to step 9).
   • Set the Single Sign-On Service URL parameter to the value obtained by configuring Okta authentication (refer to step 9).
   • Select the Allow unsolicited authentication response checkbox.
   • Set the Return URL parameter to https://orchestratorURL/identity/externalidentity/saml2redirectcallback. Make sure to add /identity/externalidentity/saml2redirectcallback at the end of the URL for the Return URL parameter. This path is specific to Okta as it allows you to reach an Orchestrator environment directly from Okta.
   • Set the SAML binding type parameter to HTTP redirect.
   • In the Signing Certificate section, from the Store name list, select My.
   • From the Store location list, select LocalMachine for Windows deployments or CurrentUser for Azure Web App deployments.
   • In the Thumbprint field, add the thumbprint value provided in the Windows certificate store. Details.
     Note:

     Replace all occurrences of https://orchestratorURL with the URL of your Orchestrator instance. Make sure that the URL of the Orchestrator instance does not contain a trailing slash. Always fill it in as https://orchestratorURL/identity, not https://orchestratorURL/identity/.

7. Select Save to save the changes to the external identity provider settings.

   The page closes and you return to the Security Settings page.

8. Select the toggle to the left of SAML SSO to enable the integration.

9. Restart the IIS server.