Okta Integration for Scalefusion Dashboard

Security Assertion Markup Language aka SAML simplifies federated authentication and authorization processes for users by implementing a secure method of passing user authentications and authorizations between the identity provider and service providers.

Scalefusion users can now be migrated to SAML based Sign-in. This capability makes Scalefusion application more robust in terms of security of its users in the arena of Mobile Device Management.

How does it Work

There are two main entities here - Identity Provider and Service Provider. In our case, Scalefusion is the Service Provider which needs authentication, and Identity Provider is the one which grants this authorization. We use Okta as the Identity Provider which performs the authentication for Scalefusion users.

When a user logs into a SAML enabled application (Scalefusion), it requests authorization from Okta. Okta authenticates the user, returns the authorization for the user to Scalefusion, and the user gets logged in to Scalefusion application.

There are few configurations that need to be done both at the end of Identity Provider (Okta) as well as Service Provider (Scalefusion) which establishes a standardized communication between the two. The document describes in detail all the steps to integrate Scalefusion with Okta and make it SAML enabled.

Before You Begin

  1. A valid Scalefusion Dashboard account
  2. A valid Okta subscription

Steps

In a nutshell, following are the steps for SAML integration:

  1. Create Application on Okta
  2. Add users on Okta
  3. Assign Application to users on Okta
  4. Configure SAML based Sign-In on Scalefusion Dashboard
  5. Migrate Admins for SAML based Sign In

Step 1: Okta SAML Setup for Scalefusion (Create SAML Integration)

Create Integration
  1. Sign in to Okta
  2. In the Admin Console, navigate to Applications.
  3. Click Add Application.
  4. On the Add Application page, click Create New App.
  5. This opens a dialog box Create a new Application Integration. To create a SAML integration, select Web as the Platform and SAML 2.0 for the Sign on method.
  6. Click Create.
  1. This opens General Settings page. Enter the following:
  • App name — Specify a name identifier for your integration. Enter Scalefusion as app name
  • App logo (Optional) — Add a logo to accompany your integration in the Okta org. The logo must be a .png, .jpg, or .gif file and have dimensions of less than 1400 by 400 pixels. It also must be smaller than 100 kilobytes in size.
  • App visibility — Choose whether to hide your integration from your end-users' homepage. Choose whether to hide your integration from the Okta Mobile Apps Store on your end-users devices. You can keep both unchecked.

Click Next

  1. Configure SAML Settings

For SAML 2.0 configuration enter the following details:

  • Single sign on URL — This URL is required and serves as the default ACS URL value for the Service Provider (SP), that is, Scalefusion. This URL is always used for IdP-initiated sign-on requests.
    Single Sign On URL is available on the Scalefusion dashboard Admins and Roles > Sign In Settings > Configure SAML Sign In
    • Use this for Recipient URL and Destination URL — Select this check box if you want the recipient and destination URL to be the same.
    • Allow this app to request other SSO URLs — For use in SP-initiated sign-in flows. Select this option to configure multiple ACS URLs to support applications capable of choosing where the SAML Response is sent. Keep this unchecked.
  • Audience URI (SP Entity ID) — The intended audience of the SAML assertion. This is usually the Entity ID of your application. It is available on the dashboard under Admins and Roles > Sign In Settings > Configure SAML Sign In
  • Default RelayState — The page where users land after a successful sign-in using SAML into the SP. This should be a valid URL.
  • Name ID format — The username format you are sending in the SAML Response. Use the default (Unspecified) if the application does not explicitly specify a format.
  • Application username — The default value to use for the username with the application.

Click Next

  1. Feedback

Here, select any one option and click Finish. Your application is created in your Okta org.

For more information on creating application, please visit here.

Step 2: Add users in Okta

The users whose accounts would be enabled for SAML sign in, need to be added in Okta. To do so, follow these steps:

  1. On Okta Admin Console, go to Directory > People
  2. Click on the button Add Person. This opens the Add Person window.
  3. Here, enter the required details like First Name, Last Name, username, password etc.
    User is required to enter this username and password for authentication when he signs in to Scalefusion after his account is configured on SAML.
  4. Click Save

Step 3: Assign application to Scalefusion users

The application created and configured above needs to be assigned to Scalefusion users, only then they will be able to get access. To assign application to individual user, follow these steps:

  1. On the Okta Admin Console, go to Directory > People.
  2. Click a user name in the Person & Username column.
  3. Select the Applications tab.
  4. Click Assign Applications.
  5. Select Scalefusion application from the list or enter the application name in the Search field.
  6. Click Assign
  7. When necessary, enter the user name, password, and complete any additional fields. The user name is not the user's Okta username, but the username they use to sign in to the Scalefusion application.
  8. Click Save and Go Back.
  9. The Assign Applications box comes up again. Notice the button in front of Scalefusion changes to Assigned and is grayed out. Click Done

The application (Scalefusion) is assigned to the user and starts reflecting in the Assigned Applications area for that user.

Step 4: Configure SAML based Sign-In on Scalefusion Dashboard

Scalefusion IT Admins need to configure SAML settings inside Scalefusion so that they can migrate to using SAML. This is the main step that associates an organization's accounts with SAML auth and also lets Admins control settings for Admins.

Prerequisites

Only Account Owner or Co-Account owner can configure SAML settings on Scalefusion dashboard.

Setup Instructions for Scalefusion Application

To configure settings on Scalefusion application certain details like Issuer URL, SSO/SLO Endpoint etc. are required. These are to be fetched from Okta.

  1. On Okta Admin Console, go to Applications
  2. Click on the application name Scalefusion (created above)
  3. Go to Sign On tab and under Sign On methods click on the button View Setup Instructions
  4. This opens a new window with all settings required for configuration
Configuration steps on Scalefusion Dashboard
  1. On Scalefusion Dashboard, navigate to Account Profile -> Admins and Roles -> Sign-in Settings
  2. Under Configure SAML Sign-In, enter the following:
    1. Select SAML provider: Select Okta
    2. Issuer URL: It is the Identity Provider Issuer URL (from the Setup Instructions page on Okta). Copy it and paste here.
    3. SAML SSO Endpoint: It is the Identity Provider Single Sign-On URL (from the Setup Instructions page on Okta). Copy it and paste here
    4. SAML SLO Endpoint: The URL to be entered here is same as SAML SSO Endpoint, with one change. At the end replace /sso/saml with /slo/saml
    5. X.509 Certificate: The X.509 certificate has to be downloaded from the Setup Instructions page through Download Certificate button. Upload the downloaded certificate here.
  3. Click Save
  4. You will get a confirmation box. Click OK
  5. You will be redirected to Okta sign-in, for confirmation. Enter the Username and Password that you entered while adding users (Add Person) in Okta. This will come up if you are not signed in to Okta.
  6. Once the Authentication succeeds you will get the page where you need to set a PIN.
    Setting up PIN is a one-time step
  7. Creating a Security PIN: A security PIN helps in authorizing certain actions on Dashboard which will require a two-step confirmation. This helps in preventing accidental deletes/edits of important data from Dashboard. To create a Security PIN please complete the steps below,
  • Name: You can Add/Edit the name.
  • Phone Number: This is optional. Here you can edit the phone number.
  • Create New PIN/Confirm Pin: Choose a 6 digit PIN that will be required to authorize certain actions on Dashboard as and when required.
  • Click ACCESS DASHBOARD to complete the SAML setup.

Once the PIN is confirmed, the account is marked as SAML account. The next time whenever this user tries to Sign in he will not be asked to enter password because he is authenticated against the provider (Okta). This is also indicated on the Scalefusion's Sign In screen where Password field is not there.

  1. After Sign-In, the user lands on Sign In Settings with a dialog to select the admin accounts which he wants to migrate to use SAML based sign in. The user can choose to MIGRATE or choose the option LATER. The screenshot below has Migrate button disabled because there are no admins available who can be migrated.

The SAML settings are successfully configured. On Sign In settings page you will see additional buttons to Disable SAML and Migrate Admins.

Migrate Admins to SAML based Sign In

Once an account admin chooses to migrate to SAML, there are options to migrate other admins post first time setup configuration. However they can choose to do it later as well.

There are two ways to migrate admins to SAML based Sign In:

Sign In Settings page

  1. Navigate to Admins and Roles > Sign In Settings
  2. Under Configure SAML Sign In, click on the button MIGRATE ADMINS
  3. A dialog box comes up showing all those admin accounts which can be migrated to SAML based sign in. Select the admin accounts that have to be migrated and click on Migrate
Make sure that the admins which are being migrated, have access to Scalefusion app and they are assigned with Scalefusion application under Okta

The admin gets migrated to SAML based Sign In.

Administrators section

  1. Navigate to Admins and Roles > Administrators
  2. Click on the action menu in front of the admin for which SAML based Sign In has to be enforced, and select Enforce SAML Sign In
  3. A dialog box comes up to ensure that the admin has access to Scalefusion app. Click Ok

SAML Sign in is enforced for the admin.

Note that in the action menu Reset Pin option comes up along with Edit and Delete

An admin's account can be made SAML enabled at the time of his account creation. This can be done by following these steps:

  1. Navigate to Admins and Roles > Administrators
  2. Click on ADD NEW ADMIN
  3. This opens the Add Admin dialog box. In Admin Types choose the option Allow Sign Up using SAML Sign In
  4. The Last Seen status for this admin will reflect as Not Logged In Yet until he signs in on Scalefusion Dashboard.

Disable SAML

To disable the SAML configuration,

Only Account Owner or Co-account owner can disable settings
  1. Navigate to Admins and Roles > Sign In Settings
  2. Under Sign In Settings click on the button DISABLE.
  3. You will be asked to enter Security pin. Enter security pin and click Submit
  4. Following dialog box comes up asking you to set a password. This password would be used to sign in once SAML settings get disabled. Click Save after entering password.
SAML configuration for all related admin accounts (which have SAML Sign In enforced) also gets disabled. They will receive an email with the password to sign-in

Behavior for O365/GSuite users

GSuite or O365 users can also be migrated to SAML based configuration with the same process. Once migrated to SAML they will not be able to use any GSuite / O365 features. However, after disabling SAML configuration all the features can be used.

Two Factor Authentication

If two-factor authentication is enabled on an account and SAML is configured, then at the time of sign in

  1. The user is redirected to Okta login page
  2. Once validation succeeds the user lands on Scalefusion's 2-Factor Authentication page where he would be required to enter verification code for authentication and then gets signed in.

On Device

In BYOD enrollments, with User Enrollment settings enforced, SAML users will be asked to authenticate at the time of enrollment, with their respective credentials with which they have signed in and skip the OTP flow. Visit Okta help document to learn more.


How did we do?


Powered by HelpDocs (opens in a new tab)