Ask the Community
Groups
SSO with Okta - Connect IT Community | Kaseya
<main> <article class="userContent"> <p>Introduction</p> <p>Our PSA supports integrating the application with Okta’s SSO product. Okta is a cloud base SSO provider that supports SAML 2.0 Standard. This guide helps you to integrate PSA with Okta. After the successful setup when a user logs in to OKTA and navigate to their applications dashboard they can click on the PSA app and it will launch their tenant site with the user already logged in.</p> <p><img src="https://us.v-cdn.net/6032361/uploads/migrated/L7UOENW7TTJV/14-singin-okta-page.png" alt="14_singin_okta_page.png" class="embedImage-img importedEmbed-img"></img></p> <p>Pre-requisites </p> <ul><li>Admin account in PSA and <a rel="nofollow" href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fwww.okta.com%2F">Okta</a> </li> <li>Setup in Okta</li> </ul><p> Sections </p> <p>Setup of SSO with Okta and PSA involves the following steps.</p> <ul><li><a rel="nofollow" href="#h_01EWFS4KB85PCH7RF50GQKT8KE">Add PSA application in Okta.</a></li> <li><a rel="nofollow" href="#h_01EWFS4RS8KNRBVBXNHJRWPSM1">Application Assignment in Okta</a></li> <li><a rel="nofollow" href="#h_01EWFS4YPKG2Q4SWD251FTJPTF">Setup SSO in PSA</a></li> </ul><h3 id="h_01EWFS4KB85PCH7RF50GQKT8KE" data-id="add-psa-application-in-okta">Add PSA application in Okta.</h3> <ul><li>Login to your Okta portal using your admin account</li> <li>Navigate to Admin dashboard</li> </ul><p><img src="https://us.v-cdn.net/6032361/uploads/migrated/UZ6F399T0O4N/mceclip2.png" alt="mceclip2.png" class="embedImage-img importedEmbed-img"></img></p> <ul><li>Click on <strong>Add Applications</strong> </li> <li>Choose<strong> Create New App</strong> </li> </ul><p><img src="https://us.v-cdn.net/6032361/uploads/migrated/R3WHBCJHO5CH/mceclip1.png" alt="mceclip1.png" class="embedImage-img importedEmbed-img"></img></p> <ul><li>Set the following in the<strong> Create a New Application Integration </strong> <ul><li>Platform: <strong>Web</strong> </li> <li>Sign on method: <strong>SAML 2.0 </strong> </li> <li>Click on<strong> Create</strong> </li> </ul></li> <li>General App Settings <ul><li>App name: Kaseya BMS</li> <li>App logo: Provide a logo for the application</li> <li>App visibility: Keep the defaults, Click <strong>Next</strong> </li> </ul></li> <li> <strong>Configuring SAML</strong> <ul><li>SSO URL<strong> : </strong>This is the PSA URL. The format is <server name>/SAML/Connect.aspx</li> <li>Navigate to <strong>Admin > My Company > Auth and Provision</strong>.</li> <li>Under the single sign on URL, copy the URL in the field</li> <li>Set it in Okta</li> </ul></li> <li>Check the checkbox saying: “Use this for Recipient URL and Destination URL”</li> <li>Audience URI (SP Entity ID): KaseyaBMS</li> <li>Application username: Email</li> <li>Select the link “Show Advanced Settings” to expand the advanced settings section. <h4><img src="https://us.v-cdn.net/6032361/uploads/migrated/BSSSTLIFKVZT/2-new-app.png" alt="2_new_app.png" class="embedImage-img importedEmbed-img"></img></h4> <h4><img src="https://us.v-cdn.net/6032361/uploads/migrated/XFSBIK4LPQ7E/3-general-settings.png" alt="3_General_settings.png" class="embedImage-img importedEmbed-img"></img></h4> <h4 id="h_01ECKXFBYJD5FFF3N6FX7WBS0P"><img src="https://us.v-cdn.net/6032361/uploads/migrated/7LTP7POD4UHU/5-configue-saml.png" alt="5_configue_SAML.png" class="embedImage-img importedEmbed-img"></img></h4> </li> </ul><p>In Advanced Settings only change the data mentioned below, keep the others as default.</p> <ul><li>Assertion Signature: Unsigned</li> <li>Authentication context class: Unspecified</li> </ul><h4 data-id="adding-attributes">Adding Attributes</h4> <ul><li>Attribute 1 <ul><li>Name: email</li> <li>Format: Basic</li> <li>Value: user.email</li> </ul></li> <li>Attribute 2 <ul><li>Name:CompanyName</li> <li>Format: Basic</li> <li>Value: {tenant name} , Add your tenant name here. <ul><li>Navigate to <em>My Profile,</em> Click on your name on the right of the top navigation bar. You will see your gateway URL and <strong>Company Name </strong>listed here. This is your tenant name. </li> </ul></li> </ul></li> <li>Attribute 3 <ul><li>Name: firstname</li> <li>Format: Basic</li> <li>Value: user.firstname</li> </ul></li> <li>Attribute 4: <ul><li>Name: lastname</li> <li>Format: Basic</li> <li>Value: user.lastname</li> </ul></li> <li>Attribute 5: <ul><li>Name: username</li> <li>Format: Basic</li> <li>Value: user.login</li> </ul></li> <li>Attribute 6 : <strong>Group Attribute</strong> <ul><li>Name: securitygroup</li> <li>Format: Basic</li> <li>Matches regex: .*</li> </ul></li> </ul><h4><img src="https://us.v-cdn.net/6032361/uploads/migrated/Q9TO6BM4Z4J0/atributes-correct-one.png" alt="atributes_correct_one.png" class="embedImage-img importedEmbed-img"></img></h4> <h4 data-id="feedback">Feedback</h4> <p>The final step of the configuration is <strong>Feedback</strong></p> <ul><li>Choose <strong>Internal App</strong> for customer or partner?</li> <li>Select the check box for <strong>internal app</strong> </li> <li>Click <strong>Finish</strong> </li> </ul><h4><img src="https://us.v-cdn.net/6032361/uploads/migrated/92PAYGVJBM8D/7-feedback.png" alt="7_feedback.png" class="embedImage-img importedEmbed-img"></img></h4> <h4 data-id="download-the-certificate">Download the certificate</h4> <p>After finishing the setup, you will be provided with the Sing on methods screen. <strong>Click on View Setup Instructions</strong>. You will be redirected to the certificate page.</p> <ul><li>Copy and save the<strong> Identity Provider Single Sign-On URL</strong> from this page</li> <li>Download Certificate. Ensure the file is saved as <strong>.cer </strong> and not in any other formats. <img src="https://us.v-cdn.net/6032361/uploads/migrated/1TLDO5FD81CV/10-sing-on-url.png" alt="10_sing_on_url.png" class="embedImage-img importedEmbed-img"></img></li> </ul><h4><img src="https://us.v-cdn.net/6032361/uploads/migrated/21TXSTATM8W1/9-certificate.png" alt="9_certificate.png" class="embedImage-img importedEmbed-img"></img></h4> <h3 id="h_01EWFS4RS8KNRBVBXNHJRWPSM1" data-id="application-assignment-in-okta">Application Assignment in Okta</h3> <p>In order to launch PSA using Okta, you must first assign your users in Okta to the newly created application. Under the application settings page, navigate to the Assignments tab, click the Assign button and add Okta users or groups to the application.</p> <div> <strong>Important</strong>: The users assigned should have the email address in OKTA same as the username in PSA.</div> <h4><img src="https://us.v-cdn.net/6032361/uploads/migrated/KHH0L08A8Y29/11-assignment.png" alt="11_assignment.png" class="embedImage-img importedEmbed-img"></img></h4> <p> Setup SSO in PSA</p> <ol><li>In PSA, navigate to <strong>Admin > My Company > Auth and Provision</strong>.</li> <li>On the Single Sign On tab, click <strong>Upload Certificate</strong>.</li> <li>Select the Okta certificate you previously downloaded.</li> <li>Set <strong>Enable Single Sign On via SAML</strong>to Yes.</li> <li>Paste the Okta login url you copied above into the SAML Login Endpoint URL field. This enables user authentication with Okta from the PSA login page.</li> <li>Click <strong>Save</strong>.</li> </ol><h4><img src="https://us.v-cdn.net/6032361/uploads/migrated/VMY194H6PM4S/mceclip0.png" alt="mceclip0.png" class="embedImage-img importedEmbed-img"></img></h4> <h4 data-id="enable-sso-for-employees">Enable SSO for Employees</h4> <ol><li>Navigate to HR > Employees.</li> <li>Select an employee.</li> <li>Under External Authentication Type, select SAML SSO.</li> </ol><p><img src="https://us.v-cdn.net/6032361/uploads/migrated/U5LNBDDCMYM4/mceclip0.png" alt="mceclip0.png" width="344" height="69" class="embedImage-img importedEmbed-img"></img></p> <p> </p> <h4 data-id="n-a"> </h4> </article> </main>