OKTA - SAML Integration

SAML Connect Integration

Create a new application on the IDP site for MetaDefender ICAP

1. Sign in Okta site

2. Add an application, select “Web” application type, and choose “SAML 2.0” for Sign on method

Proceeding to the “Configure SAML” step on SAML integration configuration, and filling these required fields by any valid value, we need to generate some data from the MetaDefender ICAP management console before getting back to this page later.

3. On the MetaDefender ICAP management console, create a new user directory for SSO

• Navigate to Settings > User Management
• On “USER DIRECTORIES” tab, hit “ADD NEW USER DIRECTORY” button
• Choose “Security Assertion Markup Language (SAML)” option for “USER DIRECTORY TYPE”
• Type the directory name of your choice
• In “IDENTIFY PROVIDER” section, hit “FETCH” button to input IDP’s SAML designated metadata API URL (e.g. Okta could be found at Enterprise Identity Provider | Okta Developer )

4. In “SERVICE PROVIDER” section:

• On MetaDefender Console current display, type your MetaDefender ICAP address in “HOST OR IP” field

and a login redirect URL will be auto-generated by MetaDefender ICAP, you will want to copy the full link to proceed:

• Switching to Okta IDP console, paste the single sign-on URL and also input Audience URI, check “Use this for Recipient URL and Destination URL” option

5. “USER IDENTIFIED BY” field:

• Username can be constructed by attributes set by IDP, or
• Defined by the customer on the IDP site

Please review the IDP document for more details. For example, for Okta: https://help.okta.com/en/prod/Content/Topics/Apps/Apps_App_Integration_Wizard_SAML.htm

6. In “USER ROLE” section

you are supported to choose the default role to map an existing MetaDefender ICAP local role

Or create a custom role mapping based on RegEx:

• Hit “ADD” button to finish creating a new SSO user directory, by default the newly created user directory is disabled:
• You may want to enable it for SSO login fashion

6. Result

Logged in successfully will help you be redirected back to the MetaDefender ICAP Server management console.

Enable Single Logout

Supported since MD ICAP Server v5.13.0, must configured both MD ICAP Server side and OKTA IDP side

MD ICAP Server side

Enable button "Enable Single Logout"

When this is turned on, ICAP will automatically:

• Enable Enable Verify Logout Signature from IdP for enhanced security.
• Populate the Logout URL based on the configured Login URL.

Depending on the IdP, ICAP may be required to sign the Logout Request (or Logout Response) it sends. For Okta, which specifically requires all incoming SAML logout messages to be signed, you must enable the corresponding signing option in ICAP and provide a valid certificate.

OKTA IDP Side

1.Enable "Singe Logout" feature in "Setting"

2.In the Configure SAML step on SAML integration configuration: Set the SAML Request certificate to match with the Signing Key used in ICAP

3.In the GENERAL tab, a Logout section will appear. Configure it as follows

• Set both Response URL and Logout request URL to the Logout URL provided by ICAP.
• Set SP Issuer to the Custom entity ID in ICAP.

4.Review and configure the following Okta options according to your organization’s requirements

• User is logged out of other participating apps and Okta
• User logs out of other logout-initiating apps or Okta
• Include user session details

For best compatibility, enable all three options.

Result

After users click the Sign out button in ICAP (or when their idle session times out):

• They will be logged out from both ICAP and Okta.
• Depending on your Okta configuration, they may also be logged out from other integrated applications.

When they next access ICAP, they will be prompted to authenticate with Okta again.