SSO with Okta

Introduction

BMS supports integrating the application with Okta. Okta is a cloud-based SSO provider that supports SAML 2.0 standard. This topic helps you to integrate BMS with Okta. After the successful setup, when a user logs into Okta and navigates to their application's dashboard, they can click BMS application, and it will launch the tenant site with the user already logged in.

Prerequisites

  • Admin account in BMS and Okta
  • Setup in Okta

Sections

Setup of SSO with Okta and BMS involves the following steps.

Adding BMS application in Okta

  1. Log into your Okta portal using your admin account.
  2. Navigate to Admin dashboard.
  3. Click Add Applications.
  4. Select Create New App.
  5. Set the following in:
    1. Create a New Application Integration.
      1. Platform: Web
      2. Sign-on method: SAML 2.0
      3. Click Create.
    2. Configuring SAML
      1. SSO URL: This is the BMS URL. The format is <server name>/SAML/Connect.aspx.
      2. Navigate to Admin > My Company > Auth and Provision.
      3. Under Single Sign-on URL, copy the URL in the field.
      4. Set it in Okta.
    3. General App Settings
      1. App name: Kaseya BMS.
      2. App logo: Provide a logo for the application.
      3. App visibility: Keep the defaults. Click Next.
  6. Check the checkbox which says: Use this for Recipient URL and Destination URL
  7. Audience URI (SP Entity ID): KaseyaBMS
  8. Application username: Email
  9. Select the link Show Advanced Settings to expand the Advanced Settings section.
  10. In Advanced Settings, change only the data mentioned below. Keep the others as default.
    1. Assertion signature: Signed
    2. Response signature: Signed
    3. Authentication context class: SHA256

Adding attributes

  • Attribute 1
    • Name: email
    • Format: Basic
    • Value: user.email
  • Attribute 2
    • Name: CompanyName
    • Format: Basic
    • Value: {tenant name}. Add your tenant name here.
      • Navigate to My Profile, and click your name on the right of the top navigation bar. You will see your gateway URL and Company Namelisted here. This is your tenant name. 
  • Attribute 3
    • Name: firstname
    • Format: Basic
    • Value: user.firstname
  • Attribute 4:
    • Name: lastname
    • Format: Basic
    • Value: user.lastname
  • Attribute 5:
    • Name: username
    • Format: Basic
    • Value: user.login
  • Attribute 6: Group Attribute
    • Name: securitygroup
    • Format: Basic
    • Matches regex: .*

Feedback

The final step of the configuration is Feedback

  1. Choose Internal app for customer or partner.
  2. Select the checkbox for internal app.
  3. Click Finish.

Downloading the certificate

After finishing the setup, you will be provided with the Sign-on methods screen.

  1. Click View Setup Instructions. You will be redirected to the certificate page.

  2. Copy and save the Identity Provider Single Sign-On URL from this page.

  3. Download certificate. Ensure the file is saved as .cer and not in any other format. 

Application assignment in Okta

In order to launch BMS using Okta, you must first assign your users in Okta to the newly created application. Under the Application Settings page, navigate to the Assignments tab, click Assign and add Okta users or groups to the application.

IMPORTANT   The users' email address in Okta and the username in BMS should be the same.

Setup SSO in BMS

  1. In BMS, navigate to Admin > My Company > Auth and Provision.
  2. On the Single Sign-On tab, click Upload Certificate.
  3. Select the Okta certificate you previously downloaded.
  4. Set Enable Single Sign-on via SAML to Yes.
  5. Paste the Okta login URL you copied above into the SAML Login Endpoint URL field. This enables user authentication with Okta from the BMS login page.
  6. Click Save.

Enabling SSO for employees

  1. Navigate to HR > Employees.
  2. Select an employee.
  3. Under External Authentication Type, select SAML SSO.