Integrate Okta SSO with jumpserver

272 Manu Chacko September 15, 2023 Tweaks & Configuration 3855

Note: SAML is an authentication mechanism for web applications. It's based on web protocols and it cannot be used for user authentication over SSH.

1. Login to okta and add Application

2. Select SAML 2.0 and click Next

3. Fill App Name and click next

4. Fill the SAML setting

Single sign on URL - Assertion Consumer Service URL ( you can find it from ezeelogin GU > Settings > SAML> Assertion Consumer Service URL)

Audience URI (SP Entity ID) - Entity ID ( you can find it from ezeelogin GU > Settings > SAML> Assertion Consumer Service URL)

Click on Next after providing the Single sign on URL and entity ID in the SAML settings.

5. Check I'm an Okta customer adding an internal app & This is an internal app that we have created and click Finish

On the next page you can see the setup instructions.

6. You can copy paste the settings found in setup instructions to Ezeelogin GUI > Setting > SAML

Or you can click on the Identity Provider metadata, then it will open a page containing metadata.

Copy the URL of the page and paste it to Metadata URL on Ezeelogin GUI > Settings > SAML Metadata URL and click on the Fetch button, it will autofill the SAML settings and Save it.

7. Select Directory -> People from left panel and select add person to add user in OKTA.

8. Activate and assign user to application by clicking user in people tab.

9. Change Web panel Authentication to SAML from Ezeelogin GUI > Settings > General >Authentication

10. Enable Auto Create User from Ezeelogin GUI -> Settings -> General -> Security -> Enable Auto Create User

12. Login to Ezeelogin GUI with SAML authentication .

13. After logging into GUI, you need to reset the password and security code of the SAML user under Account -> Password in order to SSH to Ezsh shell.

14. You can log in to Ezeelogin shell via Webssh shell or using any SSH client such as Putty or terminal etc.

WebSSH: Click on the 'Open Web SSH Console' icon to SSH via the browser

WebSSH terminal will open like below. Users can navigate the server group with the Up and Down arrow buttons and enter to login into the server.

Native SSH Client: After resetting the password and security code you can SSH to the Ezsh shell (using Terminal or Putty) with the SAML username.

15. If you are SSH ing with 2FA enabled using Putty or Terminal it would prompt you to enter the 2FA codes, The 2FA step can be disabled for SAML Authentication under Settings > Two Factor Authentication> Skip Two Factor Authentication for SAML. The user will be able to ssh without being prompted for the 2FA codes only if the user is logged into the web panel, otherwise if the user is not logged into the webpanel it would prompt for the 2FA codes.

We would recommend you to use the webssh shell when you are using SAML authentication. Using webssh shell is a lot more convenient as you would not have to worry about the SSH password or the security code for the users.

Set up webssh console in Ezeelogin and ssh via browser

You need to add different email address for each users. By default ezeelogin uses email address for creating users.

If you want to add an existing user in ezeelogin to SSO, Add the user with exact username, email address as follows. (Ezeelogin will verify with the email address of the users by default)

Saml authentication is not supported for slave if the URL is IP based.If you want to authenticate slave using saml you have to use domain name.