Single Sign-On Integration with Okta
TABLE OF CONTENTS
Introduction
Aqua CSPM offers single sign-on using SAML. This document outlines the recommended process to setup Aqua SAML IdP-initiated SSO with Okta. The following are the steps involved in the setup process, which are described in depth below:
- Create a new SAML application
- Create a Bookmark App
- Use the provided settings to generate an XML file or metadata endpoint
- Provide that file or endpoint to Aqua support
- Assign Users/Groups to the App and Bookmark App
- Aqua will enable SAML
- Users will be directed to sign in via our /sso login page
Create a new SAML application
With your existing SAML-compatible provider, create a new Web application with the following endpoints and audience settings.
The login mechanism OKTA uses IdP-Initiated SAML from its App Home and while we do not support it natively, we have an easy and workable solution for you using the following URL: https://cloud.aquasec.com/sso?connection=YOURACCOUNTNAME This URL will kick off the SAML flow immediately, without users having to enter their email addess.
Settings
| Application Name | Aqua App |
| Application Type | Web |
| Single SIgn-On URL | https://cloudsploit.auth.us-east-1.amazoncognito.com/saml2/idpresponse |
| Application Callback URL | https://cloudsploit.auth.us-east-1.amazoncognito.com/saml2/idpresponse |
| Allowed Callback URLs | https://cloudsploit.auth.us-east-1.amazoncognito.com/saml2/idpresponse |
| Audience | urn:amazon:cognito:sp:us-east-1_voZ9dTvpW |
| Required Attributes | |
Assertion/Claim* | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress |
In addition, Okta requires the full URL of the emailaddress SAML claim set to: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Steps
- Create New App.
2. Name the App and hide it.
3. Configure the App.
4. Finish the setup. 
5. Export the Metadata.
Create a Bookmark App
- In the Applications page, click Add and type "Bookmark App" in the search box.
2. Enter Aquasec as the name of the app and the URL: https://cloud.aquasec.com/sso?connection=YOURACCOUNTNAME
Important: Do not hide the Bookmark app. Leave both Application Visibility boxes unchecked, as shown below.
3. To help users identify the Bookmark App you can add the Aqua logo and description of that app to the Bookmark app.
4. After assigning the app, the screen shown below displays. Move the cursor to the position indicated by the red arrow. An edit button with a pencil icon appears. Click this icon to open the logo edit screen.
5. The Edit Logo window opens. Change the logo to https://aquasec.com/img/logo-medium.png to make it clear to the end users which app is opened.
6. After creating the application, you will need to provide Aqua with either an XML metadata file or a link to an XML metadata endpoint. Aqua will then complete the integration setup. Existing users do not need to be re-created or re-invited.
After creating the application, reply to your original SAML Support request with either an XML metadata file or a link to an XML metadata endpoint. Aqua will then complete the integration setup. Existing users do not need to be re-created or re-invited.
Assign Users/Groups
Make sure you assign Users and/or Groups to both the App and the Bookmark App to grant access to your Users to Aqua.
Users Login on Aqua (Optional)
1. After creating a new application, users who sign in via the Aqua SSO page will be redirected to your login provider: https://cloud.aquasec.com/sso.
2. After entering an email address, users will be redirected to the appropriate SAML application.
Support
If you have any questions during the migration, you can email support@aquasec.com and we will be happy to assist you during the process via email, phone, or screen share.
Did you find it helpful? Yes No
Send feedback