Configuring Okta SSO (Direct Tenant Auth Only)

If your organization utilizes Okta, you can enable Okta SSO in ControlMap.  You can also set Okta SSO as the default login for any/all users in your instance, which will enforce logging in via Okta any time they access ControlMap.  

Creating the Integration in Okta

Navigate to Applications in Okta and select Create App Integration.  Then select SAML 2.0 as the sign-in preference.  

AddYiLVnKTACyGPm-_rheS0NnyIZzZglJA.gif

 

On Step 2 (Configure SAML), fill in the Single sign on URL, Audience URI (SP Entity ID) and Default RelayState.  These are required for the integration to function as intended.

 

This information can be found in Controlmap’s metadata .xml file available for download on the Sign in settings section of the Settings > Users page. Your Default Relay State is the name of your instance and you can see this in the URL of the login screen or after logging in to your instance (******.app.ctrlmap.com).  

iFg9Zil6kSPpUZzQHtkYyeOBfaXjL9DlbQ.jpg

 

Scroll down to set SSO option:


Once your ControlMap integration has been created in Okta, go back to the Okta's Applications section and then select the ControlMap integration. Navigate to the Assignments tab to assign users to ControlMap.

UzuF-o1buYQg81hYOKHhW09rF7-bxM-kkA.gif

 

Setting Up in ControlMap

 

Navigate to Settings > Users to modify your sign in settings.  Within the Sign in settings section, select Enable SAML 2.0 SSO to expand the menu and access the additional settings required for enabling Okta SSO.  Select Okta from the identity provider dropdown menu.  You can find the required information for the subsequent fields in Okta via the Sign On tab in the integration details page.  There should be a link on the right side of the page on this tab (View SAML setup instructions).

 

lVgC36zKjeAUoQJWSie4shxtKXlfy0mpJg.gif

 

The Entity Id / Issuer URL field in ControlMap is the Identity Provider Issuer in Okta.  SAML 2.0 Endpoint (POST) / Sign In URL and SLO Endpoint / Logout URL is Identity Provider Single Sign-On URL in Okta (copy/paste this link in both fields in ControlMap).  The X.509 Certificate (with SHA-512 signature algorithm) is the X.509 Certificate in Okta, and you should include the BEGIN CERTIFICATE and END CERTIFICATE information, so there's no need to edit the selection.  

Once you've filled out the required fields, select Update settings to save and register this information with our system.  Once you've updated, you can select individual users' and update their sign-in settings by selecting Update sign in preference.

 

 

If you'd like to update this settings for all users, select Set as default next to the Enable SAML 2.0 SSO section within Sign in settings.  

 

Any questions? Reach out to our friendly, neighborhood support team by submitting a support ticket.