We have two set of configuration to be done,
1. Configure application on Okta with SAML assertion
2. Configure SAML based SSO authentication in IIQ
Complete the below steps in Okta.
This document will not cover step by step navigation to add new application within Okta, but with configuration setting for IIQ application.
Attribute Statements will list the assertion attributes within IIQ. In this case, User Name attribute will be the assertion attribute within IdentityIQ.
Complete the below steps in IIQ
1. Login to IIQ -> System Setup -> Login Configuration -> SSO Configuration
2. Check Enable SAML Based Single Sign-On (SSO)
3. Complete the details as shown, below information can be filled with ease using metadata/ config xml obtained from Okta.
SAML URL (Assertion Consumer Service) will be IIQ dashboard url
4. SAML correlation rule should return either link or identity object information
import sailpoint.object.Identity;
Identity ident;
String UserName = (String)assertionAttributes.get("User Name");
ident = context.getObjectByName(Identity.class, UserName);
return ident;
5. Save the configuration.
6. The SAML settings are stored within IIQ as Configuration object.
7. This completes configuration at IIQ.
Note: Once SAML is enabled, logout on UI (Web UI or Mobile UI) will be disabled. If you need application specific logout for IIQ, you need to have customization on extApppage.xhtml, appPage.xhtml and uiPage.xhtml and have bean class to support logout function.
Does anyone have an updated correlation rule for 8.x environment?
I am getting this error when trying in 8.x version:
2021-04-21T15:47:29,722 DEBUG tomcat-http--48 sailpoint.web.sso.SAMLSSOAuthenticator:585 - SAML Correlation result: null 2021-04-21T15:47:29,722 WARN tomcat-http--48 sailpoint.web.sso.SAMLSSOAuthenticator:280 - Unable to correlate SAML Assertion to Identity via SAMLCorrelationRule
The SAML Consumer Service URL will be different between IIQ versions.
SAML URL (Assertion Consumer Service) — The URL of the SSO service on the SP(IIQ).
I. In versions prior to IIQ7.0, path is:
II. In version IIQ7.0 and later, path is:
is server restart required after putting the OKTA SSO details in the IIQ login configuration page ?