The Okta/Declaree SAML integration currently supports the following features:
For more information on the listed features, visit the Okta Glossary.
Login to your Declaree instance as an administrator.
Navigate to Admin > Single Sign-On.
Activate SAML 2.0: Check this box.
Subdomain: Enter a required subdomain value. You can use your domain name for example. Make a note of this value.
Domain: Enter your email domain value.
Federation metadata URL: Copy and paste the following:
Sign into the Okta Admin dashboard to generate this value.
Issuer ID: Copy and paste the following:
Sign into the Okta Admin Dashboard to generate this variable.
IdP SSO login URL: Copy and paste the following:
Sign into the Okta Admin Dashboard to generate this variable.
Certificate: Download and save the following certificate, then click Browse to locate and upload it to Declaree:
Sign into the Okta Admin Dashboard to generate this variable.
[Optional SLO]: Save your Declaree certificate using the Download Declaree certificate (SP) link.
[Optional SLO]: IdP SSO logout URL: Copy and paste the following:
Sign into the Okta Admin Dashboard to generate this variable.
Logout target URL: Copy and paste the following:
Sign into the Okta Admin Dashboard to generate this variable.
Check Create user if not exists in order to enable Just In Time (JIT) Provisioning.
Authentication requests signed: Check this.
NameID policy: Select Persistent.
Request binding: Select HTTP Redirect.
Username (uuid) and User ID fields: Leave these blank.
E-mail: Enter: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email
Firstname: Enter: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
Lastname: Enter: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
Groups Enter: http://schemas.xmlsoap.org/claims/Group
Click Save.
In Okta, select the Sign On tab for the Declaree app, then click Edit.
In order to send user groups as part of the SAML response: Select your preferred group filter from the http://schemas.xmlsoap.org/claims/Group dropdown list (the Regex rule with the value ".*" in order to send *all* groups to the Declaree instance we used in our example) for the attribute.
[Optional SLO]: Check the Enable Single Logout box.
[Optional SLO]: Upload the certificate file you saved earlier (step 10).
Scroll down to the ADVANCED SIGN-ON SETTINGS section.
Enter the Subdomain value from step 4 into the corresponding field.
Click Save:
Done!
The following SAML attributes are supported:
Name | Value |
---|---|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname | user.firstName |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname | user.lastName |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email | user.email |
http://schemas.xmlsoap.org/claims/Group | This is configured in the app UI; see http://schemas.xmlsoap.org/claims/Group attribute instructions above. |
Go to: https://[subDomain].declaree.com/
Where [subDomain] is the value from step 4.