Contact the Platform9 support team and request that they enable SAML 2.0 for your account.
Include the following data with your request:
Metadata URL: Copy and paste the following:
Sign into the Okta Admin dashboard to generate this value.
Entity ID: Copy and paste the following:
Sign into the Okta Admin Dashboard to generate this variable.
In Okta, select the Sign On tab for the Platform9 app, then click Edit:
Enter the Default Relay State value in the following format:
[yourBaseUrl]/clarity/#/signin/sso
For example, if you log into https://acme.platform9.net, then your Default Relay State value will be https://acme.platform9.net/clarity/#/signin/sso
Click Save.
The Platform9 Support team will process your request. After receiving a confirmation email, log into your Platform9 instance.
In Platform9, navigate to Tenants and Users > Groups.
Create a new group (+ ADD GROUP) for each team of users that you’d like to provide access to Platform9.
For each group, enter the following:
Name: Enter a required group name.
Description: Enter a corresponding group description.
SAML attribute key for a user's first name: Enter FirstName.
SAML attribute key for a user's last name: Enter LastName.
SAML attribute key used to identify users that should map to this OpenStack Group: This SAML attribute value is used to identify the collection of users that you'd like to map to this OpenStack Group. In our example we used department value.
See List of Supported Attributes later in these instructions.
SAML attribute value(s) used to identify users that should map to this OpenStack Group: This is a comma-separated list of values for the SAML attribute key defined above that is used to identify one or more collections of users that you'd like to map to this OpenStack Group. In our example we used IT,SUPPORT values.
Click NEXT.
Specify what Tenants this Group should have access to and what Role the users in this Group should play for each Tenant.
We used service tenant and Administrator role in our example.
Click NEXT:
Click CREATE GROUP:
Done!
Notes:
IDP-initiated flows, SP-initiated flows, and Just in Time (JIT) provisioning are all supported.
Open the Platform9 Login URL.
Click SIGN IN WITH YOUR IDENTITY PROVIDER:
Okta sends the following nine attributes as part of the SAML assertion: FirstName, LastName, Email, department, division, locale, organization, preferredLanguage, userType.
These attributes are mapped to the corresponding fields in the Okta Base User Profile.
In addition to the default attributes, Okta supports the following five custom attributes: custom1, custom2, custom3, custom4, custom5.
Here is an example on how to add and use additional custom attributes:
In Okta, navigate to Directory > Profile Editor.
Search for the Platform9 app, then click on Profile:
Click Add Attribute, then enter the following:
Display Name: Enter the preferred attribute name. In our example, we used State.
Variable Name: If you are adding one attribute, enter custom1; for other attributes the value will be custom2, custom3, custom4, or custom5.
Click either Add Attribute if you are adding just one attribute, or Save and Add Another to add more.
Note: Scope (optional): If you check user personal, it means that the current attribute will be available once you assign the user to the Platform9 app and will not be available once you assign the group to the Platform9 app.
Click Map Attributes:
Select the Okta to Platform9 tab.
Start typing the required attribute from the Okta base user profile (or use the drop down list) and select the attributes you want to map.
In our example, we have selected the State attribute, then the green arrows (Apply mapping on user create and update).
Click Save Mappings.
Click Apply updates now.
Now Okta will pass custom1 attribute with the value of State field from the Okta base user profile.
You can use custom1 attribute key for the SAML attribute key used to identify users that should map to this OpenStack Group settings and a value of this attribute for the SAML attribute value(s) used to identify users that should map to this OpenStack Group (see step 7).