Configuring Okta as a SAML Identity Provider

Page last updated:

This topic explains how to configure single sign-on (SSO) between Okta and Enterprise Pivotal Container Service (Enterprise PKS).

Prerequisites

To configure Okta to designate Enterprise PKS as a service provider, you must have the following:

  • An Okta Single-Sign On admin account
  • An app with SAML 2.0 enabled in Okta

Configure SAML in Okta

To configure Okta as a SAML identity provider for Enterprise PKS, do the following:

  1. Log in to Okta as an admin.

  2. Navigate to your app and click Sign On.

  3. Under Settings, click Edit, and select SAML 2.0.

    Saml radio button

  4. Click the General tab.

  5. Under SAML Settings, click the Edit button followed by the Next button.

    Okta saml config

  6. Configure the fields as follows:

    Field Instructions
    Single sign on URL Enter https://PKS-API:8443/saml/SSO/alias/PKS-API:8443.
    For example: https://api.pks.example.com:8443/saml/SSO/alias/api.pks.example.com:8443
    Use this for Recipient URL and Destination URL Ensure this checkbox is enabled.
    Audience URI (SP Entity ID) Enter PKS-API:8443.
    For example: api.pks.example.com:8443
    Name ID format Select a name identifier format. By default, Enterprise PKS uses EmailAddress.
    Attribute Statements Enter any attribute statements that you want to map to users in the ID token.
    In Enterprise PKS you can define first name, last name, and email attributes.
    Group Attribute Statements Enter any group attribute statements that you want to map to users in the ID token. In Okta, these are groups that users belong to. You can use filters to define which groups are passed to Enterprise PKS.

    Note: Pivotal recommends using the default settings for the fields that are not referenced in the above table.

  7. Click the Next button followed by the Finish button.

  8. (Optional) If you want to enable multi-factor authentication (MFA), you can add a SSO policy rule to your app. To enable MFA, do the procedure in Add Sign On policies for applications in the Okta documentation.

  9. Click Identity Provider metadata to download the metadata, or copy and save the link address of the Identity Provider metadata.

    Id provider metadata

  10. Use the Okta metadata you retrieved in the above step to configure SAML in the Enterprise PKS tile. See Configure SAML as an Identity Provider.


Please send any feedback you have to pks-feedback@pivotal.io.