We have two set of configuration to be done,
1. Configure application on Okta with SAML assertion
2. Configure SAML based SSO authentication in IIQ
Complete the below steps in Okta.
This document will not cover step by step navigation to add new application within Okta, but with configuration setting for IIQ application.
Attribute Statements will list the assertion attributes within IIQ. In this case, User Name attribute will be the assertion attribute within IdentityIQ.
Complete the below steps in IIQ
1. Login to IIQ -> System Setup -> Login Configuration -> SSO Configuration
2. Check Enable SAML Based Single Sign-On (SSO)
3. Complete the details as shown, below information can be filled with ease using metadata/ config xml obtained from Okta.
SAML URL (Assertion Consumer Service) will be IIQ dashboard url
4. SAML correlation rule should return either link or identity object information
import sailpoint.object.Identity;
Identity ident;
String UserName = (String)assertionAttributes.get("User Name");
ident = context.getObjectByName(Identity.class, UserName);
return ident;
5. Save the configuration.
6. The SAML settings are stored within IIQ as Configuration object.
7. This completes configuration at IIQ.
Note: Once SAML is enabled, logout on UI (Web UI or Mobile UI) will be disabled. If you need application specific logout for IIQ, you need to have customization on extApppage.xhtml, appPage.xhtml and uiPage.xhtml and have bean class to support logout function.
