How to Configure SAML 2.0 for Andromeda On-Premises

Contents

• Supported Features
• Configuration Steps
• Notes

---

Supported Features

The Okta/Andromeda On-Premises SAML integration currently supports the following features:

• SP-initiated SSO
• IdP-initiated SSO
• JIT (Just In Time) Provisioning

---

Configuration Steps

1. Sign into your Andromeda On-Premises instance as a system administrator.

2. Navigate to Admin > SAML Configuration.

3. Select Enable SSO with SAML.

4. In the Andromeda Information section, save the SP Identity, Consumer URL, and Logon URL values.

5. In the SAML Identity Provider section, enter the following:

   1. IdP Name: Okta.

   2. Single Sign On End Point: Copy and paste the following:

      Sign into the Okta Admin Dashboard to generate this variable.

   3. X.509 Certificate: Copy and paste the following:

      Sign into the Okta Admin Dashboard to generate this variable.

6. In the Attributes Mapping section, use the following mappings:

   1. User ID Attribute: nameid

   2. Email Attribute: email

   3. Full Name Attribute: fullname

   4. First Name Attribute: first_name

   5. Last Name Attribute: last_name

   6. Role Attribute: role

   7. User Type Attribute: userType

   8. Company Attribute: company

   NOTE: The User ID attribute is required for logging in. For JIT (Just In Time) Provisioning - Email, Company, User, Type, and Role are required. Follow the instruction in the Notes section in order to add and use Company, User Type, and Role attributes in Okta.

7. Click Save.



8. In Okta, select the General tab for the Andromeda On-Premises app, then click Edit.

   • Enter your SP Identity and Consumer URL (step 4) values into the corresponding fields.

   • Click Save.

   

9. Done!

---

Notes

The following SAML attributes are supported:

Name	Value
email	user.email
first_name	user.firstName
last_name	user.lastName
fullname	user.firstName user.lastName

In addition to the default attributes, Okta supports the following four custom attributes:

Name	Value
userType	appuser.userType
company	appuser.company
role	appuser.role

Here is an example describing how to add and use the additional company attribute. Follow the same steps for the userType and role attributes:

1. In Okta, navigate to Directory > Profile Editor.

2. Search for the Andromeda On-Premises app, then click Profile:



3. Click Add Attribute, then enter the following:

   1. Display Name: Enter a preferred attribute name. In our example, we used Company.

   2. Variable Name: company.

      Important: In our example we are adding the company attribute. You must use the following variables names for the custom attributes: userType, company, role.

   3. Click either Add Attribute or Save, and Add Another.

   Note: Scope (optional): If you check User personal, it means that the current attribute will be available once you assign the user to the Andromeda On-Premises application and will not be available once you assign the group to the app.

   

4. Click Map Attributes:

   

5. Select the Okta to Andromeda On-Premises tab.

6. Start typing the required attribute from the Okta Base User profile (or use the drop down list) and select the attributes you want to map.

7. In our example, we have selected the Organization< attribute, then use the green arrows (Apply mapping on user create and update).

8. Click Save Mappings:



9. Click Apply Updates Now:



10. Okta will now pass the company attribute with the value of the Organization field from the Okta Base User Profile.

For SP-initiated SSO

Either:

Open the Login URL from step 4 of the Configuration Steps above.

or:

Open your login URL for Andromeda On-Premises then click Login with Okta: