Skip to Content

Integrate Okta SSO with jumpserver

Note: SAML is an authentication mechanism for web applications. It's based on web protocols and it cannot be used for user authentication over SSH.

1. Login to Okta and add the Application

     

 

    

2. Select  SAML 2.0 and click Next

 

 

3. Fill App Name and click next

     

4. Fill in the SAML setting 

       

      

     Click on Next after providing the Single sign-on URL and entity ID in the SAML settings.

 

5. Check  I'm an Okta customer adding an internal app &  This is an internal app that we have created and click Finish 

 

     On the next page you can see the setup instructions.      

 

6. Under Sign On option you can find the metadata URL which you can copy and paste in GUI.

Copy the URL of the page and paste it to the Metadata URL on Ezeelogin GUI > Settings > SAML Metadata URL and click on the Fetch button, it will autofill the SAML settings and Save it.

 

7. Select Directory -> People from the left panel and select Add Person to add a user in OKTA.

 
8. Assign the user to the application by clicking the user in the people tab. 

 
9. Change Web panel Authentication to SAML from Ezeelogin GUI > Settings > General >Authentication

 
10. Enable Auto Create User from Ezeelogin GUI -> Settings -> General -> Security -> Enable Auto Create User

 

12. Login to Ezeelogin GUI with SAML authentication.
 
13. After logging into GUI, you need to reset the password and security code of the SAML user under Account -> Password in order to SSH to Ezsh shell.
 

14. You can log in to Ezeelogin shell via Webssh shell or using any SSH client such as Putty or terminal etc.

WebSSH: Click on the 'Open Web SSH Console' icon to SSH via the browser

WebSSH terminal will open like below. Users can navigate the server group with the Up and Down arrow buttons and enter to login into the server.

 

Native SSH Client: After resetting the password and security code you can SSH to the Ezsh shell (using Terminal or Putty) with the SAML username.

 
15. If you are SSH ing with 2FA  enabled using Putty or Terminal it would prompt you to enter the 2FA codes, The 2FA step can be disabled for SAML Authentication under Settings > Two Factor Authentication> Skip Two Factor Authentication for SAML. The user will be able to ssh without being prompted for the 2FA codes only if the user is logged into the web panel, otherwise if the user is not logged into the webpanel it would prompt for the 2FA codes.
 
We would recommend you use the web ssh shell when you are using SAML authentication. Using a web ssh shell is a lot more convenient as you would not have to worry about the SSH password or the security code for the users.

You need to add a different email address for each user. By default, ezeelogin uses email addresses for creating users. 

If you want to add an existing user in ezeelogin to SSO, Add the user with the exact username, and email address as follows. (Ezeelogin will verify with the email address of the users by default)

         Saml authentication is not supported for slaves if the URL is IP based. If you want to authenticate a slave using SAML you have to use the domain name.

Refer this to Map Okta attributes to Ezeelogin