7.3.4. Okta Configuration

7.3.4.1. Prerequisites

Okta Permissions

You will need the appropriate Okta permissions to create the application and groups for mapping recorder permissions.

TLS Certificate

A valid TLS certificate must be installed and enabled on the recorder.

Entity ID

The entity ID is a unique identifier for the service provider (SP) and the identity provider (IdP). The entity ID for the SP must be provided, and the entity ID for the IdP is programmatically pulled from its metadata file.

Metadata File

The metadata file is an XML document that contains information about the IdP. It includes the IdP’s entity ID, public key, and other relevant information. The metadata file is used to configure the SP to trust the IdP. This can be obtained from Okta after configuring the application.

User Groups

User groups must be correctly set up on the recorder and Okta. The groups in the recorder must align with those in Okta to ensure proper group mapping for SAML authentication. Ensure groups in Okta have been created and users assigned.

Configuration Manager

Access to Configuration Manager is required to configure the SAML authentication provider on the recorder. The Configuration Manager login icon will not be available in the lower righthand corner when accessing Configuration Manager. You will need to log in by going to <host>/admin.

MediaWorks Replay

After successfully configuring Okta, log in to MediaWorks by navigating to the recorder and logging in.

7.3.4.1.1. Configuration Steps

In the Okta admin console, navigate to Applications → Applications and select Create App Integration:

Create your own application

Fig. 7.34 Create app integration

Select SAML 2.0 for the sign-in method and click Next:

Okta sign-in method

Fig. 7.35 Select SAML 2.0 as sign-in method

Enter a name on the General Settings page and click Next:

SAML General Settings

Fig. 7.36 SAML General Settings

On the Configure SAML page, enter the required values as shown in the below screenshot.

Single sign-on URL (Assertion Consumer Service URL (ACS)) - This will be https://<RECORDER_FQDN>/auth.sso/SAML2/POST – in the case of this example https://sp.nexlog.host/auth.sso/SAML2/POST.

Audience URI (SP Entity ID) - This can be any value as long as it is unique within your Okta tenant. Standard practice is to make this a URL, though the URL does not have to point to anything, nor does it need to resolve. It’s simply used as a unique identifier. For this document, we will use the value, https://sp.nexlog.host/relyingidentifier. Make note of this value, as it will be used later to configure the recorder side of SAML.

SAML Settings

Fig. 7.37 SAML Settings

If you elected to limit config access to port 8443 (On the recorder Users and Security → Encryption and TLS → Connection Settings), you can add an additional ACS URL expanding Show Advanced Settings and clicking Add Another under Other Requestable SSO URL. This will be the same value as the Single sign-on URL (Assertion Consumer Service URL (ACS)) above but specifying port 8443 (e.g. https://sp.nexlog.host:8443/auth.sso/SAML2/POST).

SAML Settings

Fig. 7.38 Optional Additional ACS for config access on port 8443

Scroll down to the Attibute Statements (optional) section. If you’d like to map attributes such as name, you can add them as shown below:

Additonal attributes

Fig. 7.39 Additonal attributes

The default SAML attribute mapping used by recorders utilize UPN for the username, stripping everything after the @ symbol. Since we are using email in the above configuration, adding groups and additonal attributes as well, the attribute mapping will need to be updated by logging into Configuration Manager, navigating to System → Configuration Files → SAML attribute map and clicking View / Edit at the bottom of the page.

Below is a mapping that could be used with this example configuration:

<Attribute name="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" id="remote_user"/>
<Attribute name="FirstName" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="attr_firstname"/>
<Attribute name="LastName" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="attr_lastname"/>
<Attribute name="Email" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="attr_email"/>

Scroll down to Group Attribute Statements (optional) and configure as shown below, replacing the filter with the prefix of the groups you created within Okta:

SAML Group Settings

Fig. 7.40 SAML Group Settings

In order for the groups to be mapped correctly, you will need to update the SAML attribute map for this as well using the below example:

<Attribute name="groups" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="attr_group"/>

Click Next at the bottom of the Configure SAML page and then Finish on the Feedback page.

Navigate back to Applications → Applications and select your new application. On the Sign On tab, scroll down and copy the Metadata URL. You will use this when completing the recorder side of the configuration.

Download Metadata

Fig. 7.41 Download Metadata

This completes the Okta side of the configuration and you can now move on to Recorder SAML Configuration.