Single Sign-On

Single Sign-On (SSO) means that a user logs in once and gains access to multiple applications and servers instead of logging in separately to each service. SSO simplifies the login process and reduces the number of credentials users need to manage. When SSO is integrated with the OpCenter, users log in to the OpCenter just like they log in to any other service covered by SSO. That is, the user authenticates to the SSO service and the credentials are forwarded to the OpCenter (using a SAML assertion).

Security Assertion Markup Language

Security Assertion Markup Language (SAML) is an XML-based format for transferring authentication information between an Identity Provider (IdP) and a Service Provider (SP).

Identity Provider (IdP) stores, manages, and verifies user identity. For example, Google acts as an IdP when you log in to your Google account to access another party's application.
Service Provider (SP) accepts that the IdP has verified the user and grants access to the resources that the SP offers. For example, Salesforce is an SP.

OAuth is a similar standard to SAML, supported by Google, Twitter, and others. OAuth uses a similar methodology as SAML, although OAuth uses JSON format.

The interactions among user, IDP, and SP are shown in the figure.

SSO using SAML

SSO with Okta Platform

In the current MMCloud release, the OpCenter provides SSO by integrating with the Okta Platform. The Okta Platform is the IdP and the OpCenter is the SP.

Configuration

To integrate the OpCenter with the Okta Platform, you must have access to the following before starting the configuration.

OpCenter running MMCloud release 3.1.1 or later
Subscription to the Okta Platform with admin access

Configuration proceeds in two steps in this order.

Configure the Okta Platform
Configure the OpCenter

Note

It is likely that the Okta Platform is part of your organization's existing IT security infrastructure because SSO is a solution providing access to multiple applications, not just the OpCenter. In this case, you need to open a ticket with your IT support team to configure the Okta side of the OpCenter-Okta integration.

Configure the Okta Platform

Note

The Okta Platform has many features and there are options for advanced configurations. The description that follows is a simple case for the purpose of demonstrating integration with OpCenter.

Complete the following steps.

Sign in to the Okta dashboard by clicking the link to your organization's sign-in page. (When you subscribe, Okta sends this link to the email address that you provide to Okta.)
Sign in to the Admin Console by clicking the Admin button at the top, right-hand side of the Okta screen (enter your password when prompted)
In the left-hand column, select Applications->Applications and then click Create App Integration
Select SAML 2.0 and then click Next
Enter a name for your app (name in the example shown is opcenter-tw) and then click Next
Populate the SAML Configuration parameters as shown in the figure
- Replace the IP address with the IP address of your OpCenter. If you are using private IP addresses, confirm network connectivity to Okta server.
- Choose Okta username (name@company.com) or Okta username prefix (name) as the format for Application username
Scroll down to the Group Attribute Statements (optional) section and then fill in the fields as shown in the figure. The filter shown selects all available groups. Then click Next.

Note

You must use user-groups as the Group Attribute Statement name. Otherwise, the groups selected by the filter are not recognized by the OpCenter.
Check the box to indicate this is an internal app and then click Finish
In the left-hand column, select Directory->Groups and then click Add Group
In the pop-up window, fill in the fields as shown and then click Save

Note

The mmce-admin group is hard-coded in the OpCenter. Users in the mmce-admin group are automatically given admin roles in the OpCenter. If the OpCenter receives a SAML assertion containing an unknown group, the OpCenter creates a new group with that name and assigns a normal role to any user in that group.
In the left-hand column, select Directory->People and then click Add person. (Alternatively, click More actions and select Import users from CSV)
In the pop-up window, fill in the fields. Use your first and last names and your company email address. Username is used to authenticate you. Click Save.

Note

For an admin user, enter mmce-admin in the "Groups" section. For a normal user, leave the "Groups" section blank.
In the left-hand column, select Directory->People and then search for your user. Click your user.
Click Assign Applications
In the pop-up window, search for your OpCenter app, then click Assign, and then click Done
In the left-hand column, select Applications->Applications and then select your OpCenter. Go to the Sign-on tab.
Scroll down the page and copy the Metadata URL. You need this URL to configure the OpCenter

The Metadata URL looks like this: https://153.okta.com/app/48adv3LLrnoyA697/sso/saml/metadata
Expand the More details section and copy the Sign on URL. You need this URL to log in to the OpCenter using SSO.
(Optional) Unless configured otherwise, the username appearing in your user profile is displayed as the username in the OpCenter. You can override this by configuring a "display" name that the OpCenter uses as the username (you can configure a different display name for each OpCenter). To change the display name, follow the steps below.

Warning

Unlike usernames based on email addresses, display names are not guaranteed to be unique across users in your organization. Duplicate display names for one OpCenter may cause conflicts. The Okta Platform administrator must manually ensure that duplicate display names do not occur for each OpCenter.
- Scroll to the top of your OpCenter application screen and click the Assignments tab
- Click the edit icon next to your user
- Choose a username to display on the OpCenter and click Save (the name shown in the figure is an example)
Note

In the OpCenter model, a username uniquely identifies a user. In the Okta Platform model, a profile of attributes, including username, uniquely identifies a user. If the "username" (either authentication or display name) passed to the OpCenter in the SAML assertion changes, the OpCenter creates a new user associated with the new "username."

Configure the OpCenter

Complete the following steps.

Log in to your OpCenter as an admin user (replace OPCENTER_IP_ADDRESS with the IP address of your OpCenter)
```
$ float login -a OPCENTER_IP_ADDRESS -u admin
Password: 
Login Succeeded!
```
Enable saml on your OpCenter
```
float saml enable --networkAddress OPCENTER_IP_ADDRESS --metadataURL idpMETADATA_URL
```
Replace.
- OPCENTER_IP_ADDRESS: IP address (public or private depending on your set-up) of the OpCenter
- idpMETADATA_URL: use the Metadata URL you copied above
Check your configuration
```
$ float saml info
idpMetadataURL: https://.../sso/saml/metadata [edited]
networkAddress: 44.220.148.50
metadataURL: https://44.220.148.50/api/v1/saml/metadata
acsURL: https://44.220.148.50/api/v1/saml/acs
```
Note

The idpMetadataURL identifies the IdP that the OpCenter uses to authenticate users. This is the same as the Metadata URL you copied from the Okta Platform (under the Sign On tab in the OpCenter application screen). The metadataURL returned by float saml info is different. This is the URL you enter in the Audience URI (SP Entity ID) field when configuring your OpCenter application on the Okta Platform.

Log in to the OpCenter

Open a browser tab and go the URL you copied above as Sign on URL. Depending on the groups you assigned to your user, you are logged in as a normal or admin user.

Disable SSO on the OpCenter

Complete the following steps.

Log in to your OpCenter as an admin user (replace OPCENTER_IP_ADDRESS with the IP address of your OpCenter)
```
$ float login -a OPCENTER_IP_ADDRESS -u admin
Password: 
Login Succeeded!
```

Disable saml on your OpCenter

$ float saml disable
SAML has been disabled