nzta / silverstripe-okta
A module for okta integration
Installs: 685
Dependents: 0
Suggesters: 0
Security: 0
Stars: 1
Watchers: 4
Forks: 5
Type:silverstripe-vendormodule
Requires
- onelogin/php-saml: dev-feature/sign-logout-request
- silverstripe/cms: ^4.0
- silverstripe/framework: ^4.0
- silverstripe/subsites: ^2.6
- symbiote/silverstripe-queuedjobs: ^4.2
Requires (Dev)
- phpunit/phpunit: ^9.5
- squizlabs/php_codesniffer: ^3
README
Okta provides secure identity management and single sign-on to the application, whether in the cloud, on-premises or on a mobile device for every employee.
Requirements
SilverStripe 4.x
Version info
The master branch of this module is currently aiming for SilverStripe 4.x compatibility
Configuration
You will need to setup signing certificates for the SAML assertions for both single login and single logout.
Self signed certificates for development can be generated using this helper tool: https://developers.onelogin.com/saml/online-tools/x509-certs/obtain-self-signed-certs
These certificates can be defined with any name you wish and can be stored anywhere on the server. You will also need to upload the certificates to your Okta application.
You will then need to add the following environment variables in your .env
file:
Variable | Example value | Notes |
---|---|---|
SS_OKTA_SP_ISSUER | https://yourdomain.co.nz | Your application domain name |
SS_OKTA_SP_LOGOUT_URL | https://yourdomain.co.nz/okta/slo | - |
SS_OKTA_SP_X509 | '/var/www/certs/org-sp.crt' | Example path to generated cert for SLO |
SS_OKTA_SP_PEM | '/var/www/certs/org-sp.pem' | Example path to generated private key for cert above for SLO |
SS_OKTA_IDP_X509CERT | '/var/www/certs/org-idp.crt' | Download this certificate from Okta |
SS_OKTA_IDP_ISSUER | http://okta.com/XYZ123 | - |
SS_OKTA_IDP_LOGIN_URL | https://org.okta.com/app/appname/XYZ123/sso/saml | - |
SS_OKTA_IDP_LOGOUT_URL | https://org.okta.com/app/appname/XYZ123/slo/saml | - |
SS_OKTA_IP_WHITELIST | 127.0.0.1,192.168.0.10 | You bypass login through Okta for development by adding your IP address |
You can obtain the SS_OKTA_IDP_X509CERT, SS_OKTA_IDP_ISSUER, SS_OKTA_IDP_LOGIN_URL and SS_OKTA_IDP_LOGOUT_URL information from Okta, e.g. https://{org}.okta.com/app/{appname}/{XYZ123}/setup/help/SAML_2_0/instructions
Where:
org: organization name appname: application name which is defined by Okta XYZ123: random app id which is defined by Okta
Alternatively:
- Login to your okta account
- Click the admin button
- Click applications in applications menu
- Click your application from list of applications
- Click on the 'Sign On' tab
- Click on the 'view setup introduction' button
You will see the details and the download option for the certificate.
Setup SAML settings in Okta
- Login to your Okta account and follow the last steps to go to your application
- Click 'General' tab
- Click 'Edit' button in SAML settings
- Click 'Next'
- Click 'Show Advanced Settings'
Update the following settings
Field | Value |
---|---|
Single sign on URL | https://yourdomian.co.nz/okta/sso |
Audience URI (SP Entity ID) | https://yourdomain.co.nz |
Name ID format | Unspecified |
Application username | |
Response | Signed |
Assertion Signature | Signed |
Signature Algorithm | RSA-SHA256 |
Digest Algorithm | SHA256 |
Assertion Encryption | Unencrypted |
Key Transport Algorithm | RSA-OAEP |
Setup Attribute statements
Name | Value |
---|---|
FirstName | user.firstName |
Surname | user.lastname |
user.email | |
Login | user.login |
SID | user.uniqueID |
Assign people/accounts in okta
login to your okta account and follow the last steps to go to your application, then add people/accounts from the people section to give access to the application.
Installation
In order for this module to work you will need to import the onelogin/php-saml
module to your current project. You
can do this by adding the following to your composer.json
file:
"require": { "onelogin/php-saml": "dev-sign-logout-request" }, "repositories": [ { "type": "vcs", "url": "git@github.com:micmania1/php-saml.git" } ]
The original onelogin/php-saml
module initially brought on issues upon signing out. Therefore, the purpose behind
this fork is to resolve any issues that the original module brought on and ensure that no further issues arise.
Lastly, run composer install