Okta

How to Configure SAML 2.0 for RightScale

Read this:

The Ping-based integration is outdated and replaced by the new integration. Please disable (uncheck) the Legacy SAML Integration through PingOne checkbox in order to ensure that SP-initiated login continues to work:

“rightscalenew1.png"

  1. Sign in to your RightScale account as an administrator.

  2. Navigate to Settings > Single Sign-On.

    “rightscale1.png"

  3. Click the New button.

    “rightscale1a.png"

  4. Enter the following information (see screen shot at end of step for reference):

    • Enter a Display Name.

    • If you need to enable SP-initiated SSO, under Login Method, check the Allow RightScale-initiated SSO using a discovery hint box. Then enter [YourSubDomain].okta.com as the discovery hint.

    • SAML SSO Endpoint: Copy and paste the following:

      Sign into the Okta Admin Dashboard to generate this variable.

    • SAML IdentityID: Copy and paste the following:

      Sign into the Okta Admin Dashboard to generate this variable.

    • SAML Signing Certificate: Save the following, click Browse to locate, then upload it to RightScale.

      Sign into the Okta Admin Dashboard to generate this variable.

    • Click Save and you will be returned to the Identity Provider list page.

    “rightscale2.png"

  5. Click the arrow icon under the Actions label to test your IdP configuration:

    “rightscale3.png"

  6. The SAML Consume Test page will appear:

    “rightscale4.png"

  7. Just In Time (JIT) Provisioning: If you need to have users provisioned via SSO then you will need to Enable authority for your new IdP over the SAML-asserted email domains (see http://docs.rightscale.com/platform/saml/registering_idp_authority.html

  8. RightScale SAML RelayStates: The value of the RelayState tells the Service Provider (RightScale) what application within the SP the user should be redirected to.

    Below is a table of the RelayState values supported by RightScale:

    RelayState Meaning Action
    Blank or absent IdP did not specify a destination Redirect to CM
    urn:rightscale:product:cm User wants to interact with Cloud Management (CM) Redirect to CM
    urn:rightscale:product:ss User wants to interact with Self-Service (SS) Redirect to SS
    urn:rightscale:product:ca User wants to interact with Cloud Analytics (CA) Redirect to CA
    https://*.rightscale.com/* User wants to reach a specific page in some product Redirect to requested page

    To specify the RightScale RelayState, in Okta, select the Sign On tab for the RightScale app:

    “rightscale5.png"

  9. Done!

    Notes:

    IdP-initiated flows, SP-initiated flows, and Just In Time (JIT) provisioning are all supported.

    For SP-initiated flows (if enabled, see step 4, above):

    1. Go to https://login.rightscale.com/login/session/new.

    2. Click the Use single sign-on button.

      “rightscale6.png"

    3. Enter your Discovery hint (see step 4, above) into the Enter your SSO Identifier field, then click the Log In button.

      “rightscale7.png"