Overview
This document will provide the steps to set up Single Sign-On (SSO) for an App built using Auth0 that uses Okta as an IdP. These instructions will use a sample Node JS express web app to demonstrate this SSO setup.
The following should be possible by the end of the setup process.
- Log into the app by visiting the application endpoint and using the Okta credentials (SP-initiated flow)
- Log into the app by directly login into Okta first and then clicking on the Application tile (IdP-initiated flow)
Applies To
- Single Sign-On
- Okta IdP
- Auth0 SP
Solution
Pre-requisites:
- Environment to build and host simple Node JS express application
- Auth0 Tenant (Test Application login will be hosted in this tenant)
- Sample App (App will be hosted locally)
- Okta Org
SSO Using SAML:
AUTH0 TENANT
- Log into the Auth0 tenant and create a new application by choosing Regular Web Applications option.
- Download the Sample Node JS application and run the following command to start the application. This should start the application on port 3000. Visit endpoint http://localhost:3000 to verify.
npm install && npm start
OKTA TENANT
-
Go to the Okta Admin Portal and create a new SAML integration from the Applications UI.
-
Provide a name for the application. For eg: AUTH0-SAML-SSO-APP
-
Now visit Auth0 Okta As SAML IDP documentation - Configure Okta as SAML Identity Provider and copy the example value of Single Sign-On URL and Audience URI and paste the values in Configure SAML UI in Okta. Replace the {yourAuth0Domain} with the Auth0 tenant name and replace {yourAuth0ConnectionName} with a value that will be used later in the Auth0 tenant as a name for the enterprise SAML connection.
-
Under the Attribute statements section, add basic attributes mapping as below. This mapping will help create a basic user profile for the Auth0 tenant.
-
Keep the default settings, finish creating the app, and click Save.
-
Create a new user in Okta and Assign the new SAML app to this user.
AUTH0 TENANT
- Go to Applications > Enterprise and create a new SAML enterprise connection.
- Provide the name of the connection exactly the same as the name from Step#5.
- Copy the value of the Sign On URL from the Okta tenant and paste the value in the Sign In URL box. For eg:
- Download the certificate from the Okta tenant and upload the certificate as X.509 Signing Certificate.
- Under the Login Experience tab of the SAML connection setting, enable Display connection as a button and provide a value for the Button Display Name field. For example, Log in with Okta
- Under the Applications tab of the SAML connection setting, enable the connection for the App created in Step#1.
- Now visit http://localhost:3000 and click on login. You should be redirected to a UI with an Okta login. After providing the valid credentials for the user created in Step#8, you should be logged into the app.
IDP Initiated SSO Setup
AUTH0 TENANT
- Navigate to Authentication > Enterprise and open the SAML connection that you created in Step#9.
- Under the Idp-Initiated SSO tab, select Accept Requests and select the Default Application as the app created in Step#1.
- Select the Response Protocol as OpenID Connect and save the changes.
- Open the index.js file of the sample downloaded app and copy/paste the below code.
router.get('/idpLogin', function (req, res, next) {
// Construct the redirect URL to Auth0's login page
const authUrl = `http://localhost:3000/login`;
// Redirect the user to Auth0
res.redirect(authUrl);
});
- Go to the Application settings page and update the Allowed Callback URLs with following values:
http://localhost:3000/idpLogin?connection=saml-okta-test-connection,http://localhost:3000/callback?connection=saml-okta-test-connection
- Restart the sample application.
- Now login into the Okta tenant with the user created in Step#8 and click on the application tile to initiate SSO.
- The user should be successfully logged into the application.