How to Configure SAML 2.0 for Declaree

Contents

• Supported Features
• Configuration Steps
• Notes

---

Supported Features

The Okta/Declaree SAML integration currently supports the following features:

• SP-initiated SSO
• Just In Time (JIT) Provisioning
• SP-Initiated Single Logout (optional). If you are not going to use SLO, skip the steps that are marked as [Optional SLO], and highlighted in blue font.

For more information on the listed features, visit the Okta Glossary.

---

Configuration Steps

1. Login to your Declaree instance as an administrator.

2. Navigate to Admin > Single Sign-On.

3. Activate SAML 2.0: Check this box.

4. Subdomain: Enter a required subdomain value. You can use your domain name for example. Make a note of this value.

5. Domain: Enter your email domain value.

6. Federation metadata URL: Copy and paste the following:

   Sign into the Okta Admin dashboard to generate this value.

7. Issuer ID: Copy and paste the following:

   Sign into the Okta Admin Dashboard to generate this variable.

8. IdP SSO login URL: Copy and paste the following:

   Sign into the Okta Admin Dashboard to generate this variable.

9. Certificate: Download and save the following certificate, then click Browse to locate and upload it to Declaree:

   Sign into the Okta Admin Dashboard to generate this variable.

10. [Optional SLO]: Save your Declaree certificate using the Download Declaree certificate (SP) link.

11. [Optional SLO]: IdP SSO logout URL: Copy and paste the following:

    Sign into the Okta Admin Dashboard to generate this variable.

12. Logout target URL: Copy and paste the following:

    Sign into the Okta Admin Dashboard to generate this variable.



13. Check Create user if not exists in order to enable Just In Time (JIT) Provisioning.

14. Authentication requests signed: Check this.

15. NameID policy: Select Persistent.

16. Request binding: Select HTTP Redirect.

17. Username (uuid) and User ID fields: Leave these blank.

18. E-mail: Enter: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email

19. Firstname: Enter: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

20. Lastname: Enter: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

21. Groups Enter: http://schemas.xmlsoap.org/claims/Group

22. Click Save.



23. In Okta, select the Sign On tab for the Declaree app, then click Edit.

    • In order to send user groups as part of the SAML response: Select your preferred group filter from the http://schemas.xmlsoap.org/claims/Group dropdown list (the Regex rule with the value ".*" in order to send *all* groups to the Declaree instance we used in our example) for the attribute.

    • [Optional SLO]: Check the Enable Single Logout box.

    • [Optional SLO]: Upload the certificate file you saved earlier (step 10).

    

    • Scroll down to the ADVANCED SIGN-ON SETTINGS section.

    • Enter the Subdomain value from step 4 into the corresponding field.

    • Click Save:

    

24. Done!

---

Notes

The following SAML attributes are supported:

Name	Value
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname	user.firstName
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname	user.lastName
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email	user.email
http://schemas.xmlsoap.org/claims/Group	This is configured in the app UI; see http://schemas.xmlsoap.org/claims/Group attribute instructions above.

SP-initiated SSO

Go to: https://[subDomain].declaree.com/

Where [subDomain] is the value from step 4.