Okta Configuration

Warning:

This SSO documentation is intended for local installations only, and is considered legacy functionality. Local installations of Flow Production Tracking are no longer offered. This documentation is only for customers with existing instances of Flow Production Tracking Enterprise Docker. Click here for a list of our current offerings.

Configuring Okta is relatively straightforward.

Note:

Please keep in mind that the following instructions are given as an example, and may differ from what is required in your particular situation.

Once you connect to your Okta administration portal, go to the Applications page:

  1. Select Add Application.

    Add Application

  2. Select Create New App.

    Create New App

  3. Create a new web-based SAML 2.0 Application.

    Create New Application

  4. Give your new application a name.

    Create SAML Application General

  5. Enter the SAML settings.

    Single Sign on URL: https:// YOUR SITE URL /saml/saml_login_response

    Audience URI: https:// YOUR SITE URL /saml/metadata

    Create SAML Application Settings

  6. Enter the SAML Attributes.

    login_id

    firstname

    lastname

    email

    access (optional)

    groups (optional)

    The values you decide to use will be dependant on your organization.

    Please note that in this example we hard-code true for access as we control the availability of the Application elsewhere. We have also decided to add the groups attribute, which we populate with the list of group memberships from either Admin, Artist, or Manager. The user must be part of only one group.

    Create SAML Application Settings Claims

  7. Finish the configuration.

    Create SAML Application Finish

  8. Proceed with the rest of the Okta configuration to determine access to the application and ensure that the proper attributes are sent. This will depend on your organization and how you have decided to set the values for the attributes.

  9. Provide the SSO configuration to your Flow Production Tracking Administrators. Click on the View Setup Instructions and provide the informations shown:

    SAML 2.0 Endpoint (HTTPS): Identity Provider Single Sign-On URL

    Identity Provider Issuer: Identity Provider Issuer

    Public Certificate: X.509 Certificate

    If instead you download the metadata, you will need to extract:

    SAML 2.0 Endpoint (HTTPS): SingleSignOnService Binding Location

    Identity Provider Issuer: EntityDescriptor entityID

    Public Certificate: X509Certificate

    Create SAML Application Setup

Important note regarding claims renewal

Warning:
WARNING: The following information is only relevant for Flow Production Tracking versions older than 8.16.0.5225.*

Flow Production Tracking will periodically need to renew the user's claims. To achieve this, Flow Production Tracking will connect to the IdP server using an iframe not visible to users. The default configuration of Okta will no permit embedding into an iframe.

There are 2 possible solutions here:

  1. Configure your Okta server to allow iframe embedding. This is a system-wide option, which can be found in the Admin section, under the 'Settings -> Customization -> General' page.

    Or

  2. Configure Flow Production Tracking to use an external pop-up window to renew the user's claims. This can be achieved by adding:

    saml_claims_renew_iframe_embedding_disabled: true

    to the SSO Configuration (YAML format), under the SAML Authentication section of the Site Preference page.

Parent page: Single Sign On (SSO)