SSO Integration with Okta
TABLE OF CONTENTS
- Introduction
- Create a new SAML application
- Create a Bookmark App
- Assign users/groups
- User login to Aqua (optional)
- Support
Introduction
Aqua offers single sign-on using SAML. This document outlines the recommended process to set up Aqua SAML IdP-initiated SSO with Okta. The setup process consists of the following steps, which are described in depth below:
- Create a new SAML application
- Create a Bookmark App
- Use the provided settings to generate an XML file or metadata endpoint
- Provide that file or endpoint to Aqua Support
- Assign Users/Groups to the App and Bookmark App
- Aqua will enable SAML
- Users will be directed to sign in via our /sso login page
Create a new SAML application
Settings
The login mechanism OKTA uses IdP-Initiated SAML from its App Home. While we do not support it natively, we have an easy and workable solution for you using the following URL:
https://cloud.aquasec.com/sso?connection=YOURACCOUNTNAME
This URL will trigger the SAML flow immediately, without users having to enter their email address.
In addition, Okta requires that the full URL of the emailaddress SAML claim be set to: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
With your existing SAML-compatible provider, create a new web application with the following endpoints and audience settings.
Application Name | Aqua App |
Application Type | Web |
SSO URL | https://cloudsploit.auth.us-east-1.amazoncognito.com/saml2/idpresponse |
Application Callback URL | https://cloudsploit.auth.us-east-1.amazoncognito.com/saml2/idpresponse |
Allowed Callback URLs | https://cloudsploit.auth.us-east-1.amazoncognito.com/saml2/idpresponse |
Audience | urn:amazon:cognito:sp:us-east-1_voZ9dTvpW |
Required Attributes | |
Assertion/Claim* | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress |
Procedure
1. Create a New App.
2. Name the App and hide it.
3. Configure the App.
4. Complete the setup.
5. Export the Metadata.
Create a Bookmark App
1. In the Applications page, click Add and type "Bookmark App" in the search box.
2. Enter Aquasec as the name of the app and the URL: https://cloud.aquasec.com/sso?connection=YOURACCOUNTNAME
Do not hide the Bookmark app. Leave both Application Visibility boxes unchecked, as shown in the screenshot.
3. To help users identify the Bookmark App, you can add the Aqua logo and description of that app to the Bookmark app.
4. After assigning the app, the screen shown below will be displayed. Move the cursor to the position indicated by the red arrow. An edit button with a pencil icon appears. Click this icon to open the logo edit screen.
5. The Edit Logo window opens. Change the logo to https://aquasec.com/img/logo-medium.png to make it clear to the end users which app is opened.
6. After creating the application, you will need to provide Aqua with either an XML metadata file or a link to an XML metadata endpoint. Aqua will then complete the integration setup. Existing users do not need to be re-created or re-invited.
After creating the application, reply to your original SAML Support request with either an XML metadata file or a link to an XML metadata endpoint. Aqua will then complete the integration setup. Existing users do not need to be re-created or re-invited.
Assign users/groups
Make sure you assign users and/or groups to both the App and the Bookmark App to grant Aqua access to your users.
User login to Aqua (optional)
1. After creating a new application, users who sign in via the Aqua SSO page will be redirected to your login provider: https://cloud.aquasec.com/sso.
2. After entering an email address, users will be redirected to the appropriate SAML application.
Support
If you have any questions, please contact Aqua Support. We will be happy to assist you during the process via email, phone, or screen share.
Did you find it helpful? Yes No
Send feedback