How to Configure IDP Initiated SAML (SSO) Authentication from Okta Application Dashboard

If Caddy is enabled, or any load balancer for that matter, ensure that your <manta_dir>/keycloak/conf/manta.conf file has proxy=edge set as a parameter. If this is already present, please proceed.

If you follow this guide, using SAML to authenticate against any other Automatic Data Lineage webpage will automatically redirect the user to the configured client chosen in this guide. A second IDP integration not configured to use this relay will need to be configured and used if this is not wanted.

What we will achieve:

1. User logs into Okta.

2. User goes to Okta application dashboard.

3. Clicks on the Automatic Data Lineage application link.

4. App redirects to Keycloak for authentication.

5. Keycloak redirects automatically to Okta.

6. Okta sees the user is already logged in.

7. Redirects back to Keycloak.

8. Creates SAML assertion.

9. Redirects back to the app.

Overview of steps to be taken:

1. Create an application in Okta.

2. Export Okta metadata.

3. Create a new Keycloak Identity Provider by using Okta metadata (import a file).

4. Export Keycloak metadata for the Identity Provider that we will create.

5. Create a new Keycloak client by using Identity Provider metadata (import a file).

6. Change Assertion Consumer Service POST Binding URL to your application URL.

7. Change IDP Initiated SSO Relay State to your application URL (Flow Viewer or Admin UI).

8. Set IDP Initiated SSO URL Name to “manta-saml” (arbitrary, can be set to whatever).

Application Details

For the sake of simplicity, I’m going to use the following URLs in this article:

1. Application URL (Where you want the Okta Tile to take you): http://<hostname||FQDN||IP>:<manta-dataflow-server_port_number>/manta-dataflow-server

2. Keycloak URL (Base URL for your Keycloak instance): http://<hostname||FQDN||IP>:<keycloak_port number>/auth

3. Keycloak realm: manta

4. Keycloak Identity Provider alias (Arbitrary and can be set to whatever): saml

5. IDP Initiated SSO URL Name (Arbitrary and can be set to whatever): manta-saml

1. Configure Okta App

Create an app in Okta and use details similar to the following:

Single Sign On URL:

http://<hostname||FQDN||IP>:<keycloak_port number>/auth/broker/{keycloak identity provider alias from above}/endpoint/clients/{IDP initiated SSO URL name from above}

In this case the URL looks like this:

Single Sign On URL: http://<hostname||FQDN||IP>:<keycloak_port number>/auth/realms/manta/broker/saml/endpoint/clients/manta-saml

Also set the following:

Audience Restriction: http://<hostname||FQDN||IP>:<keycloak_port number>/auth/realms/manta

At this stage the Single Sign On URL is not going to work because we have not configured Keycloak yet. But we already know what the URL will look like.

Download your Okta metadata and save it as okta-metadata.xml. Note the Identity Provider SSO URL, it will look something like this:

https://dev-xxx.okta.com/app/dev-xxx_xxx_x/xxxxxxx7/sso/saml

2. Configure Keycloak Identity Provider

2.1 Authentication Flow

Create a new authentication flow for SAML (or you can choose to use the one built by Automatic Data Lineage called “first broker login”). Log into Keycloak, navigate to Authentication > New.

Set Alias to SAML_First_Broker. Leave Top level flow type as generic.

Add executions to SAML_First_Broker flow:

1. Add execution Create User if Unique.

2. Add execution Automatically Set Existing User.

Set requirements to both the executions to ALTERNATIVE.

2.2 Identity Provider

Navigate to Identity Provider and add a new user-definer SAML 2.0 provider.

• Set the alias to saml

• Turn Use entity descriptor OFF

• Import metadata from file okta-metadata.xml and verify the Single Sign-On Service URL, it will look something like this:

https://dev-xxx.okta.com/app/dev-xxx_xxx_x/xxxxxxx7/sso/saml

• Set First Login Flow to SAML_First_Broker, or first broker login (whichever you chose from the previous step).

• Set NameID Policy Format to Unspecified.

• Save changes.

• Click on the Endpoints “SAML 2.0 Service Provider Metadata” hyperlink, and download the metadata, save it as kc-idp-metadata.xml:

3. Configure Keycloak Client

Create a new Keycloak client by using Keycloak’s Identity Provider metadata file kc-idp-metadata.xml.

• Navigate to Clients > Import (select kc-idp-metadata.xml). This will populate the client config.

Configure the following, change values if they are already set:

1. Client ID: http://<hostname||FQDN||IP>:<keycloak_port number>/auth/realms/manta (this should be created automatically)

2. IDP Initiated SSO URL Name: manta-saml

3. IDP Initiated SSO Relay State: http://<hostname||FQDN||IP>:<manta-dataflow-server_port_number>/manta-dataflow-server (if you would like the Okta tile to navigate to the AdminUI, change this to http://<hostname||FQDN||IP>:<manta-admin-gui_port_number>/manta-admin-gui/app/#/platform/connections)

4. Assertion Consumer Service POST Binding URL: https://<hostname||FQDN||IP>:<manta-dataflow-server_port_number>/manta-dataflow-server (same as the IDP Initiated SSO Relay State)

   1. This field is located under the Advanced tab:

Save changes. After this you can reference your client at the following URL:

http://<hostname||FQDN||IP>:<keycloak_port number>/auth/realms/manta/protocol/saml/clients/manta-saml

Verify that the application is available at this URL. If this does not load the app login screen then you will have to debug. If this works, you can try logging in using Okta IDP Initiated SSO Login.

Note that the Relay State is the URL that users will be directed to after a successful authentication through SAML.

Configuring Mappers for New User Registration

This will accomplish an auto population of user credentials for new users who first sign into Automatic Data Lineage. This will configure their first name, last name, email, and login information and will not prompt them for these details.

Okta Configuration:

Keycloak Configuration:

1. Go to your Identity Provider Settings

2. Go to Mappers

3. Create a new mapper:

   

4. Repeat for each attribute name you created on the Okta side.