Configuring Okta for Simplelists SAML2 Authentication

Authenticate to Simplelists using Okta

Introduction

Implementing Okta SAML Authentication for simplelists.com is described below.

Create Okta Application Configuration for simplelists

  1. Login to the Okta Admin Site Shows the Okta Dashboard with Applications selected
  2. Click on Applications
  3. Click Applications
  4. Click Create App Integration

Create a new app integration

    Shows Create new app integration SAML 2.0 selected
  1. Select SAML 2.0
  2. Click Next

Create SAML Integration - General Settings

    Shows Create SAML 2.0 Integrarion - General Settings
  1. Enter the App name (Simplelists)
  2. Click Next

Create SAML Integration - Configure SAML

    Shows Create SAML 2.0 Integrarion - Configure SAML
  1. Enter the Single sign-on URL from the simplelists SAML Provider
  2. Enter the Audience URI (SP Entity ID) from the simplelists SAML Provider
  3. Enter the Default RelayState from the simplelists SAML Provider (optional)
  4. Ensure that the Name ID format is set to EmailAddress
  5. Set the Application username to Email
  6. Click Show Advanced Settings

Create SAML Integration - Configure SAML Advanced Settings

    Shows Advanced SAML Configuration Settings
  1. Click Browse Files next to Signature Certificate
  2. Upload the simplelists.cer file downloaded from the Simplelists Authentication

Note: The recommended signature is RSA-SHA256 with a SHA256 digest

    Shows SAML setting to validate requests
  1. Click Validate SAML requests with signature certificates next to Signed Requests

Create SAML Integration - Configure SAML Attributes (User)

This section varies somewhat based on your Okta and Identity setup as well as your Simplelists configuration.

Shows SAML Attribute Statements - First and Last Name

The Name field is the information you used in Simplelists. The Name will be:

  1. First Name set the Name to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
  2. Last Name set the Name to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

The Name format is URI Reference (if you are using the above settings)

For the Value you will need two Attributes:

  1. First Name set value to user.firstName
  2. Last Name set value to user.lastName

Create SAML Integration - Configure SAML Attributes (Groups)

This section varies somewhat based on your Okta and Identity setup as well as your Simplelists configuration.

For the Groups you will need a group name and a Filter for your Okta defined Simplelists groups.

Shows the SAML group Attributes

  1. Set the Name to http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
  2. Select a format (Optional) to URI Reference
  3. Enter a Filter that will select the Groups you want to present to SimpleLists
  4. Move to the bottom of the page and Click Next

In this example there are Groups defined in Okta that start with "SimpleLists-"

Shows a button to finalize settings and save

  1. Click one of the option and provide any required information and click Finish

Create SAML Integration - Enable Encrypted Assertions (Optional)

Get everything else working first then decide if you want to implement this.

This is an optional step that adds some security but does cause some troubleshooting issues since you will be unable to review the actual data that was received in the assertion.  As such you should only enable it once you have fully tested your implementation.

Shows Assertion Encryption Options

  1. Upload the same certificate for the Encryption Certificate that you used for the Signature Certificate
  2. Select Encrypted for the Assertion Algorithm
  3. Select AES256-GCM for the Encryption Algorithm
  4. Select RSA-OAEP for the Key Transport Algorithm

Assign Okta Application to your User (or Group)

Depending on your Okta setup you will need to assign the new Simplelists application to the User of Group that includes the user.

  1. Click Assignments
  2. Click Assign
  3. Click Assign to People Shows SAML Group Assignment
  4. Choose the Person you wish to assign
  5. Click Assign Shows assigning people to the SAML application
  6. Click Save and Go Back Shows the assignment of a person to the SAML application
  7. Then click Done

Okta Groups required for Automatic User Creation (Optional)

Get everything else working first then decide if you want to implement this.

If you want to automatically create Simplelists users when a valid authentication assertion has been received you need to have “Simplelists” groups assigned to the users.  The application will need to be configured to add these groups in the assertion.  See “Create SAML Integration - Configure SAML Attributes (Groups)” above.  The groups that you use should have a similar pattern such as “SimpleLists-” at the beginning to make the selection easier.

Note: When you change or remove the Simplelists related groups assigned to a user, in Okta, the Simplelists permissions for that user are modified on the next login.  If you remove all Simplelists groups from the user, the user is deleted from Simplelists if the user attempts to login again.

Note: SimpleLists group permissions are additive.  That is, if a user is a member of multiple groups that assign different permissions, the user is assigned ALL the permissions assigned by the individual groups.

Obtain the Okta Certificate and Metadata

    Shows URL to access Metadata
  1. Click View SAML setup instructions from the right of the page Shows a page where you can download the certificate
  2. Click Download certificate and save okta.cer to your computer
  3. Select all the text (Use <Ctrl>+<A> or right click Select All) in the Provide the following IDP metadata to your SP provider field
  4. Copy the text to a file named metadata.xml and save it

Testing Login

Logging in from the Simplelists page

  1. Access the simplelists page and click Login Shows the Simplelists Main page
  2. Enter your Okta enabled email address and click submit. Shows the Simplelists Login page
  3. If everything is correctly configured you will be presented with the Okta login page. Shows Okta Login Page
  4. Enter your account username and password and click Sign In

If all goes well you should be logged into the Simplelists application page.

Logging in from the Okta “MyApps Dashboard”

Shows the Okta My Apps page

  1. Login in your Okta Dashboard
  2. Locate the Simplelists App that was created.
  3. Click on the App “tile”

Okta should send an authentication Assertion to the Simplelists web page defined when the Okta application was created.