Set up Okta

Set up seamless Single Sign-On (SSO) integration between Okta and Private Cloud Director (PCD) using SAML 2.0. This guide walks you through configuring Okta, managing user assignments, and verifying s

Set up Single Sign-On (SSO) integration between Okta and Private Cloud Director (PCD). You will configure an Okta SAML 2.0 application and connect it to your PCD deployment for seamless user authentication.

NOTE

Only 5 active applications are allowed in Okta. Deactivate unused applications before creating new integrations.

Step 1: Create an Okta SAML application

This step guides you through creating a new SAML 2.0 application integration in Okta.

  1. Log in to your Okta server and navigate to Applications. Verify you have fewer than 5 active applications. If needed, deactivate unused applications.

  2. Select Create App Integration.

  1. Select SAML 2.0 as the sign-on method.

  1. Select Next to proceed to the general settings.

Step 2: Configure SAML settings

Configure the basic SAML integration settings for your PCD deployment.

  1. On General Settings, enter a descriptive application name.

  2. Select Next to proceed to SAML configuration.

  1. In Configure SAML, enter the following required information:

NOTE

Replace <FQDN>with your PCD environment without any regions. Use IDP1 for the default domain, or substitute your specific domain name for <DOMAIN_NAME> .

Field
Description

Single sign-on URL

https://<FQDN>/sso/<DOMAIN_NAME>/Shibboleth.sso/SAML2/POST Example: https://test-du-testbed-only-3950700.app.qa-pcd.platform9.com/sso/IDP1/Shibboleth.sso/SAML2/POST

Use this for Recipient URL and Destination URL

Select this checkbox

Audience URI (SP Entity ID)

https://<FQDN>/keystone Example: https://test-du-testbed-only-3950700.app.qa-pcd.platform9.com/keystone

Default RelayState

Leave blank

Name ID format

EmailAddress

Application Username

Okta Username

Update application username on

Create and update

Step 3: Set up attribute statements

Add attribute statements to pass user information from Okta to PCD .

  1. Optionally, you can choose to update the Attribute Statements by adding the following mappings.

Name
Name Format
Value

FirstName

Unspecified

user.firstName

LastName

Unspecified

user.lastName

Email

Unspecified

user.email

  1. Select Next to continue.

  2. In Feedback, select Finish to complete the application setup.

You will be redirected to the application Sign On Settings, which displays the Issuer and Metadata URL needed for PCD configuration.

Step 4: Assign users to the application

Grant users access to the SAML application in Okta.

  1. Navigate to the Assignments tab in your application.

  2. Select Assign, then select Assign to People.

  3. Select the users to give access to PCD through SSO.

  4. Choose Assign to complete the user assignment.

The Okta configuration is now complete.

Step 5: Configure SSO in PCD

Connect your PCD deployment to the Okta SAML application.

  1. Log in to your PCD deployment using the DU FQDN for your target region.

  2. Navigate to Settings > Enterprise SSO.

  3. Select Enable SSO.

  1. Select Okta as your SSO Provider.

  2. Copy the Issuer from your Okta application Sign On and paste it in the Entity ID field.

  3. Copy the Metadata URL from your Okta application Sign On tab and paste it in the SAML Metadata URL field.

  4. Add the following XML configuration in the SSO Provider Attribute MAP field:

<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <Attribute id="FirstName" name="FirstName" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <AttributeDecoder caseSensitive="false" xsi:type="StringAttributeDecoder"/>
  </Attribute>
  <Attribute id="LastName" name="LastName" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <AttributeDecoder caseSensitive="false" xsi:type="StringAttributeDecoder"/>
  </Attribute>
  <Attribute id="Email" name="Email" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <AttributeDecoder caseSensitive="false" xsi:type="StringAttributeDecoder"/>
  </Attribute>
  <Attribute id="UserName" name="UserName" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <AttributeDecoder caseSensitive="false" xsi:type="StringAttributeDecoder"/>
  </Attribute>
  <Attribute id="department" name="department" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <AttributeDecoder caseSensitive="false" xsi:type="StringAttributeDecoder"/>
  </Attribute>
  <Attribute id="division" name="division" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <AttributeDecoder caseSensitive="false" xsi:type="StringAttributeDecoder"/>
  </Attribute>
  <Attribute id="locale" name="locale" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <AttributeDecoder caseSensitive="false" xsi:type="StringAttributeDecoder"/>
  </Attribute>
  <Attribute id="organization" name="organization" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <AttributeDecoder caseSensitive="false" xsi:type="StringAttributeDecoder"/>
  </Attribute>
  <Attribute id="preferredLanguage" name="preferredLanguage" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <AttributeDecoder caseSensitive="false" xsi:type="StringAttributeDecoder"/>
  </Attribute>
  <Attribute id="userType" name="userType" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <AttributeDecoder caseSensitive="false" xsi:type="StringAttributeDecoder"/>
  </Attribute>
  <Attribute id="custom1" name="custom1" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <AttributeDecoder caseSensitive="false" xsi:type="StringAttributeDecoder"/>
  </Attribute>
  <Attribute id="custom2" name="custom2" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <AttributeDecoder caseSensitive="false" xsi:type="StringAttributeDecoder"/>
  </Attribute>
  <Attribute id="custom3" name="custom3" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <AttributeDecoder caseSensitive="false" xsi:type="StringAttributeDecoder"/>
  </Attribute>
  <Attribute id="custom4" name="custom4" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <AttributeDecoder caseSensitive="false" xsi:type="StringAttributeDecoder"/>
  </Attribute>
  <Attribute id="custom5" name="custom5" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <AttributeDecoder caseSensitive="false" xsi:type="StringAttributeDecoder"/>
  </Attribute>
</Attributes>

  1. Select Save to create the configuration.

You will see a confirmation message as SSO configuration saved.

Step 6: Create SAML groups and mappings

Set up SAML groups to manage user permissions and role assignments in PCD.

  1. Create a new SAML group with the following settings:

Field

Description

Name

Enter a descriptive group name

Description

Provide a clear description

Username Attribute Mapping Template

Enter a template that defines how the username should be constructed using SAML attributes. Use the format {attributeKey} where attributeKey corresponds to the attributes available in your identity provider

Email Attribute Mapping Template

Enter a template that defines how the email address should be constructed using SAML attributes. Use the format {attributeKey} where attributeKey corresponds to the attributes available in your identity provider

Template Examples:

  • {FirstName} {LastName} - Combines first and last name with a space

  • {FirstName}-{LastName} - Combines first and last name with a dash

  • {FirstName}xxxx{LastName} - Combines first and last name with custom characters

  • {Email} - Uses the email attribute directly

The attribute keys must match those configured in your identity provider's attribute mapping configuration.

  1. Add a group mapping with these configurations.

Field

Value

SAML Group Attribute

Email

Criteria

Any one of

SAML Group Values

Enter email addresses that match user assignments in your Okta application (For example: [email protected], [email protected])

  1. Assign roles and tenants from Tenants & Roles, by configuring the following.

Role
Description

Admin

Full administrative access

SSU (Self-Service User)

Limited self-service access

ReadOnly

View-only access

  1. Select Add group to complete the SAML group setup.

Step 7: Verify the SSO integration

Verify if your Okta SSO integration works correctly.

  1. Log out of your current PCD session.

  2. Navigate to your PCD environment URL to initiate a new login.

  3. The system redirects you to Okta for authentication.

  4. Enter your Okta credentials and complete any required multi-factor authentication (MFA).

Upon successful authentication, Okta redirects you back to PCD with the appropriate user permissions.

You have now successfully configured Okta SSO for PCD. Users can now access PCD using their Okta credentials with seamless single sign-on authentication.

PreviousSet up Microsoft Entra IDNextSSO with pcdctl

Last updated

Was this helpful?