How to Configure SAML 2.0 for Xton Access Manager

Contents

• Supported Features
• Pre-requisites
• Configuration Steps
• Notes

---

Supported Features

The Okta/Xton Access Manager SAML integration currently supports the following features:

• SP-initiated SSO
• IdP-initiated SSO

For more information on the listed features, visit the Okta Glossary.

---

Pre-requisites

Xton Access Manager (XTAM) is already installed and secured with a trusted SSL certificate using federated sign-in module.

---

Configuration Steps

1. Save the following Okta metadata file as okta.xml:

   Sign into the Okta Admin Dashboard to generate this variable.

2. Save the following Metadata URL:

   Sign into the Okta Admin dashboard to generate this value.

3. Open the file: {XTAM_HOME}/web/conf/catalina.properties in a text editor.

4. Add the following lines to the existing #CAS section:

   1. cas.server.name={managed_path}

      Note: Defines the URL of the application and will be unique for each customer.

      Example: cas.server.name=https://host.com.

      
      

   2. cas.server.prefix={managed_path}/cas

      Note: Defines the URL of the federated sign-in module.

      Example: cas.server.prefix=https://host.com/cas.

      
      

   3. cas.authn.pac4j.saml[0].clientName=Okta

      Note: Defines the IDP client name. The required value is Okta.

      
      

   4. cas.authn.pac4j.saml[0].keystorePassword={password}

      Note: Password for the key that will be generated server side. You must create one.

      
      

   5. cas.authn.pac4j.saml[0].privateKeyPassword={password}

      Note: Password for the private key that will be generated server side. You must create one.

      
      

   6. cas.authn.pac4j.saml[0].serviceProviderEntityId=urn:mace:saml:pac4j.org

      Note: Defines the XTAM entity ID. The required value is urn:mace:saml:pac4j.org.

      
      

   7. cas.authn.pac4j.saml[0].serviceProviderMetadataPath={okta.xml}

      Note: The Identity Provider metadata from Okta saved to an xml file with the path defined. Please define a path to the okta.xml file (step 1).

      Example: cas.authn.pac4j.saml[0].serviceProviderMetadataPath=C:/xtam/content/keys/okta.xml.

      
      

   8. cas.authn.pac4j.saml[0].keystorePath={samlKeystore.jks}

      Note: The keytore file generated server side defined with the path. You will need to specify the path and the file name for where the key will be stored.

      Example: cas.authn.pac4j.saml[0].keystorePath=C:/xtam/content/keys/samlKeystore.jks.

      
      

   9. cas.authn.pac4j.saml[0].identityProviderMetadataPath={metadataUrl}

      Note: Your metadata URL from the step 2.

      Example: cas.authn.pac4j.saml[0].identityProviderMetadataPath=https://subDomain.okta.com/app/[externalKey]/sso/saml/metadata.

5. Save, and close the file.

6. Restart the PamManagement (Windows) or pammanger (Linux) service.

7. Done!

---

Notes

• These instructions are valid for Xton Access Manager Release 2.3.201804152246 (April 15, 2018) or newer.

• Make sure that you entered the correct value in the Base URL field under the General tab in Okta. Using the wrong value will prevent you from authenticating via SAML to Xton Access Manager.

SP-initiated SSO

1. Open the Xton Access Manager login URL.

2. Click Okta: