OKTA SAML integration
Contents
- Creating your application in OKTA.
- Configuring your application in OKTA.
- Generating IDP metadata in OKTA.
- Generating your JKS key.
- Groovy file configuration.
- Generating SP.xml.
- Instances behind a load balancer
Creating application within OKTA
On the Admin page select the Applications, then select “Create App Integration”
Within the Integration window please select SAML 2.0 and click next.
Configuring your application within OKTA.
Name your application and click next
This should bring you to the “SAML settings” window, please see the below example for how this should be configured, the only requirement for here is your IriusRisk domain needs to be changed to what you currently have configured, unless your entity ID is custom, In which case you will need to modify the “Single sign on URL” & Audience URI to reflect this by removing “iriusrisk-sp” and replacing it with your custom entry.
https://youririusriskdomain.com/saml/SSO/alias/iriusrisk-sp
iriusrisk-sp
User/group assignment
Next, please ensure that your required groups are assigned to app within OKTA, you will need to map the group names to the relevant roles within the IriusRisk groovy file to ensure accurate access is assigned to the end user.
Generating IDP metadata in OKTA.
Next, generate the idp metadata by selecting the below, this will need to be placed in the same directory as your docker-compose file using the file name “idp.xml”
Generating the JKS file
From the CLI of your IriusRisk instance enter the tomcat docker container
docker exec -it iriusrisk-tomcat sh
Execute key generation procedure. The default password for the keystore is "changeit". There is no need to fill the information about the name/country etc, but providing a password is mandatory. We will also use “iriusrisk-sp” as key password.
keytool -genkey -alias "iriusrisk-sp" -validity 1825 -keyalg RSA -keystore /etc/ssl/certs/java/cacerts
Check that the key is properly generated and is present in the keystore:
keytool -list -keystore /etc/ssl/certs/java/cacerts | grep iriusrisk-sp -A 1
Enter keystore password: changeit
iriusrisk-sp, Feb 4, 2021, PrivateKeyEntry,
Certificate fingerprint (SHA1): 92:E9:7A:34:BD:B5:97:47:80:22:DA:60:6B:ED:A6:B0:FC:BE:5B:E1
Exit the container and copy the keystore outside:
exit
docker cp iriusrisk-tomcat:/etc/ssl/certs/java/cacerts iriusrisk-sp.jks
If you have a requirement to import custom CA certificates please follow the below, if not please proceed to the next steps.
Import CA signed certificates (optional)
When you get your certificates form the CA, you will have 2 important files (names are just an example):
- pem - the public certificate with signed CA certification chain
- key - private key for the certificate
TIP: in order to inspect the contents of the PEM certificate, execute:
openssl x509 -in 4c62d535c32f5d28.pem -text -noout
First, let's create a PKCS12 file that combines the both mentioned files:
openssl pkcs12 -export -in 4c62d535c32f5d28.pem -inkey customer_iriusrisk_com.key -out iriusrisk-sp.p12 -name iriusrisk-sp
After, import the resultant into a new Java Key Store:
keytool -importkeystore -deststorepass iriusrisk-sp -destkeystore iriusrisk-sp.jks -srckeystore iriusrisk-sp.p12 -srcstoretype PKCS12 -alias iriusrisk-sp
In order to inspect the contents of the JKS file, execute:
keytool -list -v -keystore iriusrisk-sp.jks
Docker compose configuration
docker-compose.yml (temporary version)
Create or make changes to your “docker-compose.yml” file to mirror the below content. Remember to configure NG_SERVERNAME, IRIUS_DB_URL, and IRIUS_EXT_URL with the correct values of your instance endpoints as this is an example file:
version: '3'
services:
nginx:
ports:
- "80:80"
- "443:443"
environment:
- NG_SERVER_NAME=your-instance.iriusrisk.com
links:
- tomcat8
image: continuumsecurity/iriusrisk-prod:nginx-prod-ssl
container_name: iriusrisk-nginx
volumes:
- "./cert.pem:/etc/nginx/ssl/star_iriusrisk_com.crt"
- "./key.pem:/etc/nginx/ssl/star_iriusrisk_com.key"
tomcat8:
environment:
- IRIUS_DB_URL=jdbc\:postgresql\://172.17.0.1\:5432/iriusprod?user\=iriusprod&password\=alongandcomplexpassword2523
- IRIUS_EDITION=saas
- IRIUS_EXT_URL=https\://your-instance.iriusrisk.com
- grails_env=production
- CATALINA_OPTS="-Dsaml.config.path=/etc/irius/SAMLv2-config.groovy"
image: continuumsecurity/iriusrisk-prod:tomcat8-3
container_name: iriusrisk-tomcat8
volumes:
- "./SAMLv2-config.groovy:/etc/irius/SAMLv2-config.groovy"
- "./idp.xml:/etc/irius/idp.xml"
- "./iriusrisk-sp.jks:/etc/irius/iriusrisk-sp.jks"
Groovy file configuration
Then create the groovy file in the same directory called SAMLv2-config.groovy please ensure to make the modifications mentioned below to avoid any complications, it is important that the naming conventions of the userGroupToRoleMapping mirror exactly as you have within OKTA.
grails {
plugin {
springsecurity {
saml {
// Activate SAML integration with IriusRisk
active = true
// Base to generate URLs for this server. For example: https://my-server:443/app. The public address your server will be accessed from should be used here.
entityBaseUrl = 'https://your-instance.iriusrisk.com'
// Custom entity id for the instance. If it doesn't exist it is set to iriusrisk-sp by default
// entityId = "iriusrisk-sp"
// Mapping User fields to SAML fields, e.g: [firstName: givenName], firstName is the user field in IriusRisk (do not change), givenName is SAML field
userAttributeMappings = [
'username' : 'user.email',
'firstName': 'user.firstName',
'lastName' : 'user.lastName',
'email' : 'user.email'
]
// SAML assertion attribute that holds returned group membership data
userGroupAttribute = 'memberOf'
// Custom Values, mapping Okta Groups GUIDs (used as keys in the configuration map userGroupToRoleMapping) to Irius RoleGroup names (used as values in the configuration map userGroupToRoleMapping)
userGroupToRoleMapping = [
'Your_okta_group':'ROLE_TEST_ONLY',
'Your_okta_group':'ROLE_ADMIN',
'Your_okta_group':'ROLE_PORTFOLIO_VIEW',
'Your_okta_group':'ROLE_DEVELOPER',
'Your_okta_group':'ROLE_FULL_ACCESS_USER',
'Your_okta_group':'ROLE_MANAGE_USERS_BU',
'Your_okta_group':'ROLE_RISK_MANAGER',
'Your_okta_group':'ROLE_RULES_EDITOR',
'Your_okta_group':'ROLE_TEMPLATE_EDITOR',
'Your_okta_group':'ROLE_REQUIREMENTS_MANAGE',
'Your_okta_group':'ROLE_TESTER',
'Your_okta_group':'ROLE_QUESTIONNAIRE_ONLY',
'Your_okta_group':'ROLE_LIBRARY_EDITOR'
]
// If there is no information about roles in the SAML Response, IriusRisk will use this property to assign a default role to the User
defaultRole = 'ROLE_DEVELOPER'
// SAML assertion attribute that holds returned business unit data
// businessUnitsAttribute = 'department'
// Custom Values, mapping group names with (used as keys in the configuration map businessUnitsMapping) to Irius business units refs (used as values in the configuration map businessUnitsMapping)
// businessUnitsMapping = [
// 'Your_okta_group': 'testers',
// 'Your_okta_group': 'managers',
// 'Your_okta_group': 'developers'
// ]
// If there is no information about business units in the SAML Response, IriusRisk will use this property to assign a default business unit to the User
// defaultBusinessUnit = 'testers'
// Custom entity id for the instance if it doesn't exist it is set to iriusrisk-sp by default
// entityId = "custom-entity-id"
metadata {
// Relative URL in IriusRisk to download sp.xml metadata
url = '/saml/metadata'
// Provider to be used from the configuration map providers
defaultIdp = 'idp'
// Configuration map providers, using the name of the provider as key and the file system path to the xml descriptor file from Azure
providers = [ idp :'/etc/irius/idp.xml']
idp {
title = 'OKTA login caption'
}
sp {
file = '/etc/irius/sp.xml'
defaults = [
// alias should correspond to your entity id
alias: 'iriusrisk-sp',
signingKey: 'iriusrisk-sp',
encryptionKey: 'iriusrisk-sp',
tlsKey: 'iriusrisk-sp',
]
}
}
keyManager {
storeFile = 'file:/etc/irius/iriusrisk-sp.jks'
storePass = 'changeit'
passwords = [ 'iriusrisk-sp':'changeit' ]
defaultKey = 'iriusrisk-sp'
}
}
}
}
}
Remember to change some parameters:
- entityBaseUrl - public URL endpoint of your IriusRisk instance
- entityId - custom entity ID set to identify IriusRisk application in OKTA (Note: if setting custom entity this must be reflected in the "alias:" definition under the sp configuration)
- userGroupToRoleMapping - map your OKTA groups to IriusRisk roles
The default IriusRisk roles can be extracted directly from the database with this command:
sudo -u postgres psql --dbname=iriusprod --command="SELECT name FROM role_group";
- userGroupAttribute - the mapping for the attribute that holds returned group membership data
- defaultRole - If a user is not a member of a group in OKTA this is what role will they be granted.
- providers - map your Federation Metadata XML file downloaded from OKTA
- idp.title - sentence you want to appear on the login page as the hyperlink to the OKTA login page.
- keyManager - section with your generated certificate parameters
- businessUnitsAttribute - group attribute to map to IriusRisk business units
- businessUnitsMapping - map IdP groups to business units
SP metadata
sp.xml
Run the application and wait for UI to be available (it may take up to 10min):
docker-compose up -d
The log will show some errors indicating the missing sp.xml file. This is something expected. At this point IriusRisk isn't fully configured yet and the UI will not be accessible.
Once IriusRisk finish started you will need to download IriusRisk SAML metadata file with the following command (change your-iriusrisk.iriusrisk.com to your own IriusRisk endpoint):
curl https://your-iriusrisk.iriusrisk.com/saml/metadata --output sp.xml
docker-compose.yml (final version)
After you will need to include the both files into your docker-compose.yml:
version: '3'
services:
nginx:
ports:
- "80:80"
- "443:443"
environment:
- NG_SERVER_NAME=your-iriusirsk.iriusrisk.com
links:
- tomcat8
image: continuumsecurity/iriusrisk-prod:nginx-prod-ssl
container_name: iriusrisk-nginx
volumes:
- "./cert.pem:/etc/nginx/ssl/star_iriusrisk_com.crt"
- "./key.pem:/etc/nginx/ssl/star_iriusrisk_com.key"
tomcat8:
environment:
- IRIUS_DB_URL=jdbc\:postgresql\://172.17.0.1\:5432/iriusprod?user\=iriusprod&password\=alongandcomplexpassword2523
- IRIUS_EDITION=saas
- IRIUS_EXT_URL=https\://your-iriusirsk.iriusrisk.com
- grails_env=production
- CATALINA_OPTS="-Dsaml.config.path=/etc/irius/SAMLv2-config.groovy"
image: continuumsecurity/iriusrisk-prod:tomcat8-3
container_name: iriusrisk-tomcat8
volumes:
- "./SAMLv2-config.groovy:/etc/irius/SAMLv2-config.groovy"
- "./idp.xml:/etc/irius/idp.xml"
- "./iriusrisk-sp.jks:/etc/irius/iriusrisk-sp.jks"
- "./sp.xml:/etc/irius/sp.xml"
Load Balancer Config
If your application is behind a load balancer you may need to add the following to your goovy file:
contextProvider{
providerClass = 'SAMLContextProviderLB'
scheme = 'https'
serverName = 'your external hostname'
serverPort = 443
includeServerPortInRequestURL = false
contextPath ='/MicroStrategyLibrary'
}
Errors relating to this issue should resemble this:
ERROR org.opensaml.common.binding.decoding.BaseSAMLMessageDecoder - SAML message intended destination endpoint 'https://host.com/saml/SSO/alias/iriusrisk-sp' did not match the recipient endpoint 'http://host.com/saml/SSO/alias/iriusrisk-sp'
Restart everything and your integration should be finished:
docker-compose down && docker-compose up -d
You can also check the logs and see that everything is running correctly:
docker logs -f iriusrisk-tomcat
Comments
0 comments
Article is closed for comments.