BMS Auth & Provision | SSO with Okta

Introduction

Our PSA supports integrating the application with Okta’s SSO product. Okta is a cloud base SSO provider that supports SAML 2.0 Standard. This guide helps you to integrate PSA with Okta. After the successful setup when a user logs in to OKTA and navigate to their applications dashboard they can click on the PSA app and it will launch their tenant site with the user already logged in.

Pre-requisites

• Admin account in PSA and Okta
• Setup in Okta

Sections

Setup of SSO with Okta and PSA involves the following steps.

• Add PSA application in Okta.
• Application Assignment in Okta
• Setup SSO in PSA

Add PSA application in Okta.

• Login to your Okta portal using your admin account
• Navigate to Admin dashboard

• Click on Add Applications
• Choose Create New App

Set the following in the Create a New Application Integration

• • Platform: Web
  • Sign on method: SAML 2.0 
  • Click on Create
• General App Settings
  • App name: Kaseya BMS
  • App logo: Provide a logo for the application
  • App visibility: Keep the defaults, Click Next
• Configuring SAML
  • SSO URL : This is the PSA URL. The format is <server name>/SAML/Connect.aspx
  • Navigate to Admin > My Company > Auth and Provision.
  • Under the single sign on URL, copy the URL in the field
  • Set it in Okta
• Check the checkbox saying: “Use this for Recipient URL and Destination URL”
• Audience URI (SP Entity ID): KaseyaBMS
• Application username: Email
• Select the link “Show Advanced Settings” to expand the advanced settings section.

   

   

   

In Advanced Settings only change the data mentioned below, keep the others as default.

• Assertion Signature: Unsigned
• Authentication context class: Unspecified

Adding Attributes

• Attribute 1
  • Name: email
  • Format: Basic
  • Value: user.email
• Attribute 2
  • Name:CompanyName
  • Format: Basic
  • Value: {tenant name} , Add your tenant name here.
    • Navigate to My Profile, Click on your name on the right of the top navigation bar. You will see your gateway URL and Company Name listed here. This is your tenant name. 
• Attribute 3
  • Name: firstname
  • Format: Basic
  • Value: user.firstname
• Attribute 4:
  • Name: lastname
  • Format: Basic
  • Value: user.lastname
• Attribute 5:
  • Name: username
  • Format: Basic
  • Value: user.login
• Attribute 6 : Group Attribute
  • Name: securitygroup
  • Format: Basic
  • Matches regex: .*

Feedback

The final step of the configuration is Feedback

• Choose Internal App for customer or partner?
• Select the check box for internal app
• Click Finish

Download the certificate

After finishing the setup, you will be provided with the Sing on methods screen. Click on View Setup Instructions. You will be redirected to the certificate page.

• Copy and save the Identity Provider Single Sign-On URL from this page
• Download Certificate. Ensure the file is saved as .cer and not in any other formats. 

Application Assignment in Okta

In order to launch PSA using Okta, you must first assign your users in Okta to the newly created application. Under the application settings page, navigate to the Assignments tab, click the Assign button and add Okta users or groups to the application.

Setup SSO in PSA

1. In PSA, navigate to Admin > My Company > Auth and Provision.
2. On the Single Sign On tab, click Upload Certificate.
3. Select the Okta certificate you previously downloaded.
4. Set Enable Single Sign On via SAMLto Yes.
5. Paste the Okta login url you copied above into the SAML Login Endpoint URL field. This enables user authentication with Okta from the PSA login page.
6. Click Save.

Enable SSO for Employees

1. Navigate to HR > Employees.
2. Select an employee.
3. Under External Authentication Type, select SAML SSO.