Follow the steps documented below to integrate your Rafay and Okta Orgs for Single Sign On (SSO).
Only users with "Organization Admin" privileges can configure SSO in the Rafay Console.
Step 1: Create IdP in Rafay¶
- Login into the Rafay Console as an Organization Admin.
- Click on System and IdPs
- Click on "New IdP"
- Provide a name, select "Okta" from the drop down
Enter the "domain" for which you would like to enable SSO
Optionally, toggle "Encryption" if you wish to send/receive encrypted SAML assertions
- Provide a name for the "Group" attribute
- Click on Save & Continue
Encrypting SAML assertions is optional because privacy is already provided at the transport layer using HTTPS. Encrypted assertions provide an additional layer of security on top ensuring that only the SP (Rafay Org) can decrypt the SAML assertion.
Step 2: View SP Details¶
The Rafay IdP configuration wizard will display critical information that you need to copy/paste into your Okta Org. Provide the following information to your Okta administrator.
- Assertion Consumer Service (ACS) URL
- SP Entity ID
- Name ID Format
Step 3: Create Rafay App in Okta¶
- Login into your Okta Org as an Administrator
- Select Applications and Create a New App
- Select "SAML 2.0" for Sign on method
- Click on Create
Step 4: General Settings¶
In step 1 of the application configuration wizard
- Enter "Rafay Systems" for the application name
- Upload the Rafay Logo
Step 5: Configure SAML¶
In step 2 of the application configuration wizard
- Copy/Paste the Rafay ACS URL from Step 2 into the "Single sign on URL"
- Copy/Paste the SP Entity ID from Step 2
- Select "Email Address" in the Name ID format dropdown
In the Group Attribute Statements section, - Provide the name for the "Group", select the "Matches regex" filter and ".*" for the value.
The "Group" configuration step is critical because it will ensure that Okta will send the groups the user belongs to as part of the SSO process. Rafay uses the group information to transparently map users to the correct group/role. In the illustrative example below, we are using "Rafay" as the name of the group.
Complete the Feedback portion of the Okta app wizard.
Step 6: Specify IdP Metadata¶
Copy the "Identity Provider Metadata" URL from the Rafay App
- Navigate back to the Rafay Console's IdP configuration wizard
- Paste the Identity Provider Metadata URL from Okta
- Complete IdP Registration
- Once this process is complete, you can view details about the IdP configuration on the Identity Provider page.
- You can also edit and update the configuration if required.
Step 7: Assign Users and Groups¶
Once the Rafay and Okta Orgs are integrated using the steps documented above, customers need to create and assign "Groups" in Okta to the Rafay application.
In the example below, the Okta group "RafayOrgAdmins" has been assigned to the Rafay App in Okta. Multiple Okta users can be added/removed from this group.
An identical named group needs to be created on Rafay. Ensure that this group is mapped to the appropriate Projects with the correct privileges. In the example below, the Rafay Group "RafayOrgAdmins" is configured as an "Organization Admin" with access to all Projects.
It is important to emphasize that because of SSO via Okta, user lifecycle management can be completely offloaded to the IdP. In the example below, note that there are no users managed in the "RafayOrgAdmins" group because they are all managed in the attached Okta Org.