Integration with Okta SSO

If you are implementing or currently an Okta user, then the following article describes how to integrate the PAM login with Okta SSO.

This SAML integration currently supports the following features:

  • SP-initiated SSO
  • IdP-initiated SSO

Before you begin, be sure you met the following pre-requisities.

Pre-requisities

  • A working PAM deployment with the Federated Sign-In experience.
  • Access to the PAM host server to make application changes.
  • An Okta Administrator account that can add Applications and basic Okta Administrative knowledge.
  • PAM does not support the use of native Okta accounts for login. Accounts have to originate in Active Directory and be synced to Okta in order to be used for PAM authentication.

Add to Okta Application

This section will describe how to add the PAM Application in your company’s Okta tenant.

  1. Login to Okta with an Administrator account.
  2. Navigate to the Applications section and click the Browse App Catalog.
  3. In the Search for an application box, enter Imprivata Priveleged Access Managment. Click the Add button next to the application name.
  4. PAM-Okta-Application1

  5. In "General Settings" click Done.

Configuring PAM for your Okta SSO

This section will describe how to configure PAM to support your Okta SSO login.

We will be taking information from your PAM Okta Application and using them in the PAM configuration, so be sure you have access to both.

  1. In tab "Assignments" assign rights to users. Click Assign and choice peoples or groups.

  2. PAM-Okta-Application2

  3. In tab "Sign On" press "Edit" in section "Advanced Sign-on Settings" enter your ACS URL and Audience URI values into the corresponding fields.

    1. ACS URL - <URL to your host>/cas/login?client_name=<SSO provider>,
    2. ex. https://pam.company.com:6443/cas/login?client_name=Okta

    3. Audience URI - unique identificator, ex. urn:mace:saml:pac4j.org
    4. PAM-Okta-Application3

  4. End pressing Save.

  5. In point SAML Signing Certificates click Actions, choose View IdP metadate and copy the opened URL.
  6. PAM-Okta-Application4

  7. On the PAM host computer, open the following file in a text editor $PAM_HOME/web/conf/catalina.properties locate the section labeled # CAS and add the following lines:
  8. Copy
    cas.authn.pac4j.saml[0].clientName=Okta
    cas.authn.pac4j.saml[0].keystorePassword={password}
    cas.authn.pac4j.saml[0].privateKeyPassword={password}
    cas.authn.pac4j.saml[0].serviceProviderEntityId=urn:mace:saml:pac4j.org
    cas.authn.pac4j.saml[0].serviceProviderMetadataPath={okta.xml}
    cas.authn.pac4j.saml[0].keystorePath={samlKeystore.jks}
    cas.authn.pac4j.saml[0].identityProviderMetadataPath={path}

    In the lines above, the following {placeholders} need to be updated using your own values explained here:

    1. cas.authn.pac4j.saml[0].clientName={Okta} - name SSO provider, it must match with item 2a.
    2. cas.authn.pac4j.saml[0].keystorePassword={testPassword} - Create an alphanumeric password. Any value you want to enter.
    3. cas.authn.pac4j.saml[0].privateKeyPassword={privatePassword} - Create an alphanumeric password. Any value you want to enter.
    4. cas.authn.pac4j.saml[0].serviceProviderEntityId={urn:mace:saml:pac4j.org} - audience URI, it must match with item 2b.
    5. cas.authn.pac4j.saml[0].serviceProviderMetadataPath={okta.xml} - The full path and file name of the okta.xml file. For example, C:/pam/content/keys/okta.xml (use forward slashes not backslashes)
    6. cas.authn.pac4j.saml[0].keystorePath={samlKeystore.jks} - Define a path and name for the PAM auto-generated key. For example, C:/pam/content/keys/samlKeystore.jks (use forward slashes not backslashes)
    7. cas.authn.pac4j.saml[0].identityProviderMetadataPath={path} - Copy and paste the full URL from your Identity Provider Metadata used in step (4). For example, https://subDomain.okta.com/app/[externalKey]/sso/saml/metadata.

  9. When finished, save and close this file.

  10. Restart the PamManagement (Windows) or the pammanager (Linux) service.

  11. When the service is fully restarted, open your browser and navigate to the PAM login page. Use the new option Login using Okta located on the bottom right side of the page.

    PAM-Okta-Application5