Okta is a customizable, secure, and drop-in solution to add authentication and authorization services to your applications . Get scalable authentication built right into your application without the development overhead, security risks, and maintenance that come from building it yourself.
You can connect any application in any language or on any stack to Okta and define how you want your users to sign in. Each time a user tries to authenticate, Okta will verify their identity and send the required information back to your app.
Use our SDKs or API to connect your apps, add users, configure rules, customize your sign-in page, and then monitor your services from our built-in report.
Okta documentation
->> In order to connect Okta SSO with the VMS, creation and proper configuration of the
Okta app is needed.
-
SSO app creation wizard https://help.okta.com/en-us/Content/Topics/Apps/Apps_App_Integration_Wizard.htm
-
Managing the SSO app https://help.okta.com/en-us/Content/Topics/Apps/Apps_Apps_Page.htm
Okta application settings
1. Creating new app
Login as an Admin user, go to Admin dashboard and switch to the classic view.
Click Create New App button to start App Wizard.
2. Choose Sign-on method
VMS supports communication with Identity Provider by SAML 2.0. While creating Okta
app use The SAML App Wizard .
3. Configure SAML
Second step in app creation is a form with SAML details.
The configuration in the MX Cloud is as it follows below.
EXAMPLE For MxCloud - Reseller Account SSO Configuration
Step 1: Enable Branding
To enable SSO, the reseller must first enable branding by going to Account Settings→ Branding as shown below and enable branding - since the MX Cloud is already branded the important setting here is the sub-domain. The sub-domain CAN NOT be left empty. Please see screenshot from the test account:
Step 2: Enable Identity Provider
Once branding is configured and the page is refreshed there will be a new security tab that will be available in the Account Settings. Using the Identity Provider tab under this, an Identity provider can be set up.
MOBOTIX Cloud allows two variations of SSO:
IdP enabled to sign in for all users.
In this option there will be one IdP allowed to be set up. Reseller is responsible for setting up the SSO and users (including sub accounts) will use the same identity provider. In order to configure this select the option: “Use my own Identity Provider to sign in (Single Sign-On”).
Allow only sub-accounts to enable SSO
In this option each sub-account can set up their own SSO. they can also choose not to enable SSO. In this case each sub-account can configure a unique IdP. This is the most used configuration in MOBOTIX Cloud VMS.
EXAMPLE For MxCloud - Sub-account SSO Configuration
Step 1: Enable Identity Provider
Please note on the reseller level it needs to be allowed for the sub-account to use SSO:
Login to MOBOTIX CloudVMS as an end user account (sub account). Go to Account Settings, Security and Identity Provider. You enable SSO by clicking on “Use my own identity provider to sign in.”. The following screen will appear:
Step 2: Configure Identity Provider via SAML
To set up IdP there are configurations that need to be shared between the service provider (MOBOTIX) and the account IdP. Below are the MOBOTIX SAML information that needs to be added in the IdP :
Field | Value |
---|---|
Identifier | mobotixcloud.com |
Reply URL(Assertion Consumer Service URL) | https://<>.mobotixcloud.com/g/aaa/sso/SAML2/Authenticate |
Logout URL | https://mobotix.mobotixcloud.com/g/aaa/sso/SAML2/LogOut |
Field | Description |
---|---|
Sign-on URL | The URL to which MOBOTIX will redirect the user to login. |
Issuer (Identifier) | The unique name for the identity provider |
X.509 certificate | The certificate to set up secure communication. |
There are some known limitations with SSO that you need to be aware before configuring though.
-
SSO using IdP can be enabled only at reseller level or at sub account level. Combining is not possible. Due to this, when the SSO is enabled only for sub accounts, the reseller can no longer set up SSO.
-
Due to the same limitation, when SSO is set up at reseller level, all users including sub accounts need to use the IdP provider of the reseller.
-
Sub account enabled SSO allows only IdP initiated SSO, logging in via https://www.mobotixcloud.com is not possible.
-
With SSO setup users can no longer use MOBOTIX Mobile App since it does not support SSO currently.
-
The welcome email to set password is automatically sent to the user even when the sub account has SSO enabled. This email can be ignored.
-
Currently MOBOTIX Cloud does not restrict users to login using email/password when SSO is enabled.