This guide demonstrates the step-by-step process for creating a new application in Okta capable of communicating via SAML 2.0 with Axur Platform services. In this guide, we will cover all the necessary configurations to ensure that Single Sign-On (SSO) works correctly and as expected.
Table of Contents
Before you start
Ensure you can access your organization’s account hosted on Okta. Typically, the access URL has the format
https://<YOUR_ORGANIZATION>.okta.comWhen performing the configurations, make sure that the data you are copying or typing in the indicated locations is correct. Incorrect data entry can cause problems later when we test our application.
Groups, users, and assignments
In all Axur Platform SSO application creation tutorials, there is the concept of users and groups. After all, the provider is where all your user information will be stored, in addition to the groups to which they belong (creating groups via the provider is optional). In this sense, this section is dedicated to teaching how to create groups and users in Okta, as well as assigning users to groups.
Creating a group (Optional)
This section is optional. Groups can be managed within the Axur Platform if you wish. Therefore, if you desire, you can skip the sections on Creating a group, Assigning a group to a user, and Mapping user groups.
Follow the step-by-step instructions in the images to create a new group:
Suggested name | Group description |
Axur Viewer | Users in this group will have access to the Axur Platform, with the ability to view all ticket, result, and invoice information, but cannot perform any actions. |
Axur Analyst | Users in this group will have access to the Axur Platform and, in addition to viewing all information, can perform non-billable actions (all except Takedown requests). |
Axur Expert | Users in this group will have access to the Axur Platform and, in addition to performing non-billable actions, can also request Takedowns. |
Axur Manager | Users in this group will have access to the Axur Platform and can perform all actions (non-billable and billable) and also view activities performed by their users in the Axur Platform. |
Axur Custom | Users in this group have a personalized set of capabilities. When they are created, the manager can decide what their capabilities will be. |
For the Axur Platform to recognize them correctly via SAML, it will also be necessary to create groups with the exact names that the platform expects, as shown in the table below. Later, we will create a mapping between them.
Desired value | Group |
| Axur Viewer |
| Axur Analyst |
| Axur Expert |
| Axur Manager |
| Axur Custom |
This strategy is useful for organizational purposes. The first groups you created (e.g., Axur Platform Viewer) can be easily identified as belonging to the Axur Platform in your Okta searches. Later, you will see that we will create a mapping so that whenever we receive a login from a user in the Axur Platform Viewer group, for example, the group transmitted to the platform is converted to its respective desired group (one-viewer in this case).
Creating a user
To create a user, follow the step-by-step instructions in the images:
Follow the same process to create more users if you wish.
Assigning a group to a user (Optional)
This section is optional. Groups can be managed within the Axur Platform if you wish. Therefore, if you desire, you can skip the sections on Creating a group, Assigning a group to a user, and Mapping user groups.
To assign a group to a user you created, follow the step-by-step instructions in the images:
Add as many users as you like.
Creating a new application
With access to the Okta Dashboard, follow the step-by-step instructions in the images to create a new application. The process is sequential, but we are dividing it into sections to improve understanding. It is a simple and easy-to-follow interface.
Continue to the next section.
Sending Axur Platform data to Okta
It is necessary for Okta to know who it will be communicating with for the SSO process to work smoothly.
In this sense, the first section of the app creation asks for some data that refers to the Axur Platform so that we can communicate via the SAML protocol.
These are the data you will need (These values are fixed and must be entered exactly as shown):
Field | Value |
ACS URL |
|
Entity ID |
|
Fill in the fields as indicated in the image. Ensure that all values shown in the example image are filled in, including the Name ID format and Application username fields, in addition to those listed in the table above. Other fields not indicated can usually be left with their default values or empty, unless your organization has specific requirements.
Mapping user attributes
By using Okta as our provider, we are leveraging the credentials that are already stored and managed by Okta, and these credentials are stored in the format defined by the provider. However, to communicate with the Axur Platform using SAML, it’s necessary that user data is sent in a standardized way. Think of it this way: We need to ensure that the Axur Platform always receives the user’s email attribute in the same format regardless of whether this data comes from Okta or any other provider. Different providers store their data in different ways, and mappings solve this problem!
Continue in the new application creation menu, and use the values indicated in the table to fill in the user attribute mapping section. Enter the first value (Name) manually, as it is a URL. The other fields can be selected from the dropdown. Simply ensure that the values in your application match those in the image!
Name | Name Format | Value |
| Basic |
|
| Basic |
|
| Basic |
|
If you decided not to create groups in Okta for this application, do not fill in the group mapping values that may appear below this user attributes section. Continue the new app creation process, clicking the appropriate button to proceed. Okta may present a final feedback step, which is usually optional and can be skipped. After that, you can finalize your app creation process.
Mapping user groups (Optional)
This section is optional. Groups can be managed within the Axur Platform if you wish. Therefore, if you desire, you can skip the sections on Creating a group, Assigning a group to a user, and Mapping user groups.
Just like user attributes, we also have groups, which bring users together according to some specific criteria. These groups are created by the administrator in Okta, and as explained in the previous section, it is necessary to create a mapping so that this data is transmitted to the Axur Platform in a standardized way, regardless of the provider.
Follow the images to create group mappings in the Okta settings, and use the values from the table to perform your configuration:
Name | Name Format | Value |
| Unspecified |
|
The pattern (one-.*) ensures that any group matching the expected Axur Platform suffixes (e.g., one-viewer, one-manager) is included.
Continue the new app creation process, clicking the appropriate button to proceed. Okta may present a final feedback step, which is usually optional and can be skipped. After that, you can finalize your app creation process. For group attribute mapping to work correctly, one more thing will be necessary.
In the group creation section, you created two groups for each existing profile on the Axur Platform (e.g., Axur Platform Viewer -> one-viewer). Now we will create a rule that automatically associates users from the first group to the second, so that everything works normally on the platform. Follow the step-by-step instructions in the images to do this:
Obtaining Okta provider data
Since we are using Okta as our identity provider, it is necessary to obtain some information that can tell the Axur Platform who it will be communicating with and whether its information is secure and reliable.
When accessing your application created for the Axur Platform, click on the Sign On tab. As shown in the photo, you can see a section with a URL indicating where the provider’s metadata is located so that we can use it later in the tutorial. Copy this link and save its value in a note so that we can use this data later.
Assigning groups/users to the application
Now all that remains is to assign users or groups to the new application you created. Follow the step-by-step instructions in the images to do this.
For group:
For users directly:
Some common errors
The Service Provider (SP) information (Axur Platform in this case). Verify the data from the corresponding section and ensure they are the same.
The Identity Provider (IdP) information (Okta in this case). Verify that the link you copied here redirects to the metadata file correctly.
The application access information. Verify the assignments of groups or direct users.
Specific errors
Error | Description | How to Resolve |
Non Authorized IdP or expired IdP login | Unauthorized IdP or expired session | Check the Federation Metadata and the IdP. |
Missing value for string parameter [email claim] | Missing or empty email claim | Make sure the email attribute is correctly configured in the IdP. |
Redirection error | Incorrect endpoint URL in the IdP | Check whether the endpoints are correctly configured. |
Local entity is not the intended audience of the assertion in at least one AudienceRestriction | The assertion was not intended for the SP | Check if the entityId configured in the app is set to com:axur:sso. |
Authentication statement is too old to be used with value {date} | The authentication statement has expired | The IdP session duration exceeds 7 days. Contact support to adjust it. |
Validation of protocol message signature failed | The signature of the SAML message is invalid | Verify that the Federation Metadata was correctly provided. |
This concludes the necessary configurations in the Okta provider. Return to the configuration guide on the platform to finalize the creation of your application.
If you have any questions, feel free to reach out at [email protected] 😊