Connect Okta to PE

Connect to Puppet Enterprise (PE) to Okta so that users can log in to PE with their Okta credentials.

These steps assume you're familiar with common SAML terminology and the basic process to Connect a SAML identity provider to PE.

You must have an Okta instance. To test this process, you might request a development instance from the Okta Developer Portal.

Configure the Okta application

Configure settings in Okta to connect your Okta instance to Puppet Enterprise (PE).

Before you begin
Get URLs and the signing and encryption certificate required to connect Okta to PE.
  1. Log in to the Okta Admin Console and navigate to Applications > Applications > Create App Integration.
    The App Integration Wizard starts.
  2. Select SAML 2.0 for the Sign-in method, and click Next.
  3. On the General Settings tab:
    1. Enter Puppet Enterprise for the App name.
    2. Optional: Upload an App logo and select App visibility options.
    3. Click Next.
  4. On the Configure SAML tab:
    1. Paste the SAML assertion consumer service (ACS) URL from PE in the Single sign on URL field.
    2. Paste the SAML metadata URL from PE in the Audience URI (SP Entity ID) field.
    3. Optional: Set the Default RelayState.
    4. Select a Name ID format and Application username.
  5. Click Advanced Settings, and specify parameters that you'll match to service provider configuration options in PE later.
    1. Select options for Response, Assertion Signature, Signature Algorithm, Digest Algorithm, and Assertion Encryption.
    2. Select Allow application to initiate Single Logout, and then paste the SAML Single Logout URL from PE in the Single Logout URL field.
    3. Paste the SAML assertion consumer service (ACS) URL from PE in the SP Issuer field.
    4. For the Signature Certificate, upload the file containing the Signing and Encryption Certificate from PE.
    5. Configure the Assertion Inline Hook, Authentication context class, Honor Force Authentication, and SAML Issuer ID.
    Tip: Take note of the Authentication context class setting. You'll need this value when you configure the Okta connection settings in PE.
  6. Click Next, complete the feedback survey (if desired), and then click Finish.
  7. Copy the URLs and download the certificate from the How to Configure SAML 2.0 for Puppet Enterprise Application page. You'll need this information to connect to Okta in the PE console.
What to do next
Connect to Okta in the PE console

Connect to Okta in the PE console

Configure your Okta integration settings in the Puppet Enterprise (PE) console.

Before you begin
You need the URLs and certificate from the How to Configure SAML 2.0 for Puppet Enterprise Application page (which appears after you Configure the Okta application). You also need to know the values of the Signature Algorithm and Authentication context class settings in Okta.
For more information about PE's SAML configuration fields and their corresponding IdP and RBAC API mappings, refer to the SAML configuration reference and Okta's documentation.
  1. In the console, on the Access control page, click the SSO tab.
  2. Click Configure.
  3. Input a Display Name. This name is visible on the PE home page.
  4. Complete the Identity provider information fields:
    • Identity provider entity ID: Input the Identity Provider Issuer URL from Okta.
    • Identity provider SSO URL: Input the Identity Provider Single Sign-On URL from Okta.
    • Identity provider SLO URL: Input the Identity Provider Single Logout URL from Okta.
    • Identity provider SSO response URL: Optional and can be blank.
    • Identity provider certificate: Paste the entire X.509 Certificate from Okta, including the begin and end tags.
  5. Configure the Service provider configuration options as follows:
    • Name ID encrypted?: Yes
    • Sign authentication requests?: Yes
    • Sign logout response?: Yes
    • Sign logout requests?: Yes
    • Require signed messages?: Yes
    • Require signed assertions?: Yes
    • Sign metadata?: Yes
    • Require encrypted assertions?: No (leave unselected)
    • Require name ID encryption?: No (leave unselected)
    • Requested authentication context: Input the value of the Authentication context class from Okta in the following format:
      urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
    • Requested authentication context comparison: Select minimum
    • Allow duplicated attribute name: No (leave unselected)
    • Validate xml?: No (leave unselected)
    • Signature algorithm: Must match the Signature Algorithm setting you chose in Okta, such as rsa-sha256
  6. Input Organization and Contacts information.
  7. The values in the Attribute binding fields must exactly match the corresponding fields in Okta.

    These settings define attributes and map them to user information in Okta, then PE uses these settings to understand user information received from Okta.

    Your Okta Administrator can provide these details, or you can retrieve them from Okta. Navigate to Applications > SAML General > Advanced settings > Attribute Statements, and then use the values from the Name fields in Okta to populate the Attribute binding fields in PE.

  8. Commit your changes.
What to do next
Configure RBAC for an Okta integration

Configure RBAC for an Okta integration

In the PE console, connect Okta user groups to PE RBAC roles.

  1. In the console, on the Access control page, click the User roles tab.
  2. Click the Name of the PE role you want to connect to an Okta user group.
  3. On the Member users tab, select the Okta data from the User name drop-down menu, such as $(user.firstName) $(user.lastName).
    The value for this option derives from the Attribute Statements data in Okta. If no such value is available on the drop-down menu, check the Attribute binding settings in PE (refer to Connect to Okta in the PE console for details).
    The Login and Status fields automatically populate after you select the User name.
  4. Switch to the Member groups tab and select the relevant Okta group from the Group name drop-down menu.
  5. Commit the changes.
  6. Repeat to configure additional groups.

Test your Okta SSO connection

Make sure you can log in to PE with Okta.

  1. Log out of PE.
  2. Go to the PE login screen (home page) and click Sign in with Okta SSO.
  3. Log in to PE using your Okta credentials.
Results
If the configuration is correct, you'll be redirected to the PE status page. Make sure you have the correct permissions.