Okta via SAML

SAML is an XML-based standard for exchanging authentication and authorization data between parties, in our case between an identity provider and a service provider. SAML can be used for implementing SSO and identity management in enterprise environments. Similar to OIDC, SAML can be used by your Okta implementation to manage SSO with Mindful.

This section covers the Okta SSO integration with SAML. Topics covered:

  • Setting up SAML in Okta
  • Configuring your Mindful Organization
  • Adding Role Mappings
  • SAML single logout

Set up SAML in Okta

  1. Navigate to Applications and click Create App Integration.
  2. Select the SAML 2.0 radio button, then click Next.
  3. Under App Name, enter whatever value you would like, then click Next.
  4. For Single sign on URL, enter the appropriate URL provided by the Mindful Support team.
  5. Click Use this for Recipient URL and Destination URL.
  6. Set the Audience URI(SP Entity ID) to the appropriate value. Contact the Mindful Support team to obtain the Cognito User Pool ID that will be used in the Audience URI for this field.
  7. Set the Application username to Email.
  8. Attribute Statements: Add a new entry:
    • Name: Enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
    • Name format: Select Unspecified.
    • Value: Enter user.email
  9. Group Attribute Statements:Add a new entry:
    • Name: Enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/groups
    • Name format: Select Unspecified.
    • Filter: Select Matches regex with a value of .*
  10. Click Next.
  11. Select I'm an Okta customer adding an internal app.
  12. Select This is an internal app that we have created.
  13. Click Finish.
  14. Make sure your users and/or groups are assigned to the application by going to the Assignments tab and selecting users/groups.

Configure your Mindful Organization for SAML using Okta

Now it's time to link the Mindful Organization to your Okta SAML account. This step can only be performed by Mindful staff.

Add role mappings (Okta to Mindful)

Now you will need to map your Okta group to Mindful roles.

  1. Click Add Role Map.
  2. For Name, enter the same value that you used for your Okta group. Exact capitalization isn't required.
  3. For Roles, enter the Role or Roles that the user will be assigned when they log in with a matching Group name.
  4. If more roles are necessary to map, add those as well. Make sure to click the Save button to persist your changes.

SAML Single logout in Okta

When enabled, this will result in a Mindful UI logout also logging out of Okta. It works by Cognito redirecting the UI to Okta after the Cognito logout, with a specially formatted SAML logout package on the query string sent to Okta. Okta verifies this SAML package using the issuer string and a public SSL cert key, and if valid, logs out the user.

To enable:

  1. In Cognito UserPool > Identity Provider,Enable Sign Out flow.
  2. In Okta > Applications > Edit > SAML Configuration > Edit,select Show Advanced Settings.
  3. Select the Enable Single Logout setting.

Next, complete the form as follows:

  1. Single Logout URL: Enter the appropriate value provided by the Mindful Support team.
  2. SP Issuer:Enter urn:amazon:cognito:sp:<user pool id>
  3. Signature Certificate: Obtain the Signing Certificate from the Cognito AWS console, then format it to .crt format. Otherwise, Okta won't accept it.
    1. Add the correct header/footer.
    2. Insert line breaks every 64 characters.
    3. Save the file with a .crt extension.

Example

Sample certificate with line breaks added every 64 characters:
-----BEGIN CERTIFICATE-----

MIICvDCCAaSgAwIBAgIIOc0ggmd46TMwDQYJKoZIhvcNAQELBQAwHjEcMBoGA1UE

AwwTdXMtZWFzdC0xX3ZVbXlKcUVSZjAeFw0yMjA3MTgxNzU0MzRaFw0zMjA3MTgx

...etc...

fDAL+E3i7TTP9TVZkUt0hKaUGi3/SMF3xrMVVITLrTqYhZzHq+PtPMqZBb8ugI6N

+mMIF6JDN7OiU5y2ARg6xdB4t5gl04GjdbI9cIEGaOo=

-----END CERTIFICATE-----