Integrate Okta SSO with jumpserver
Integrating Okta Single Sign-On (SSO) with Jumpserver.
Overview: This article describes integrating Okta Single Sign-On (SSO) with Jumpserver, including steps to configure Okta application settings, map SAML attributes, and enable SAML authentication in the Jumpserver GUI.
Note:
SAML is an authentication mechanism for web applications. It's based on web protocols and it cannot be used for user authentication over SSH.
Step 1: Log in to Okta and add the Application.
- Navigate to Applications > Click on Create App Integration.
Step 2: Select the applications.
- Choose SAML 2.0 and click Next.
Step 3: Create SAML integration.
- Fill in the App name and click Next.
Step 4: Fill in the SAML setting in web GUI.
Navigate to settings > SAML. Add single sign-on and entity ID in the configure SAML section.
- Single sign-on URL - Assertion Consumer Service URL( Find it from ezeelogin GUI > Settings > SAML> Assertion Consumer Service URL)
- Audience URI (SP Entity ID) - Entity ID ( Find it from Ezeelogin GU > Settings > SAML> Assertion Consumer Service URL)
- Click on Next after providing the Single sign-on URL and entity ID in the SAML settings.
Step 5: Complete Okta Application Setup.
- Check "I'm an Okta customer adding an internal app" & "This is an internal app that we have created" and click Finish.
- On the next page, you can see the setup instructions.
Step 6: Copy Metadata URL.
- Under the Sign On option, you can find the metadata URL which you can copy and paste into GUI.
- Copy the URL of the page and paste it to the Metadata URL on Ezeelogin GUI > Settings > SAML Metadata URL and click on the Fetch button, it will autofill the SAML settings and Save it.
Step 7: Add Users.
- In Okta Goto Directory -> People from the left panel and select Add Person to add a user in OKTA.
Step 8: Assign users to the application.
- Assign the user to the application by clicking the user in the people tab.
Step 9: Configure JumpServer.
- Change Web panel Authentication to SAML from Ezeelogin GUI > Settings > General > Authentication.
- Enable Auto Create User from Ezeelogin GUI -> Settings -> General -> Security -> Enable Auto Create User.
Step 10: Login to Jump Server.
- Log in to Ezeelogin GUI with SAML authentication.
Step 11: Reset Password and security code.
- After logging into GUI, you need to reset the password and security code of the SAML user under Account -> Password in order to SSH to Ezsh shell.
Step 12: SSH access.
- You can log in to Ezeelogin shell via Webssh shell or using any SSH client such as Putty or terminal etc.
- WebSSH: Click on the 'Open Web SSH Console' icon to SSH via the browser.
- WebSSH terminal will open like below. Users can navigate the server group with the Up and Down arrow buttons and enter to log into the server.
- Native SSH Client: After resetting the password and security code you can SSH to the Ezsh shell (using Terminal or Putty) with the SAML username.
Step 13: Managing 2fa.
- If you are SSHing with 2FA enabled using Putty or Terminal it would prompt you to enter the 2FA codes, The 2FA step can be disabled for SAML Authentication under Settings > Two Factor Authentication> Skip Two Factor Authentication for SAML. The user will be able to ssh without being prompted for the 2FA codes only if the user is logged into the web panel, otherwise, if the user is not logged into the web panel it would prompt for the 2FA codes.
Note:
- You need to add a different email address for each user. By default, Ezeelogin uses email addresses for creating users.
- If you want to add an existing user in Ezeelogin to SSO, Add the user with the exact username, and email address as follows. (Ezeelogin will verify with the email address of the users by default).
- Saml authentication is not supported for slaves if the URL is IP-based. If you want to authenticate a slave using SAML you have to use the domain name.
Related Articles: