Description: Configure Forward App and VM to use Okta as SSO IDP
Date Tested: 5/1/2020
Version: 2.42.2-01

1. Enable SSO Authentication in Forward Networks Accounts section
2. Login in to OKTA and click on Applications->Applications. Create an application for WEB platform and Sign-on method as SAML 2.0 
3. Configure SAML 
        a. Enter any text under Single sign-on URL and SP Entity ID
        b. Select Persistent for Name ID format
   

4. Select “I’m an Okta customer adding an internal app”

5. In the next page (App sign on page), click on View Setup Instructions under Sign on Methods.
   
   Copy the following

   1. Okta’s #1.Identity Provider Single Sign-On URL to FN’s SSO redirect URL

   2. Okta’s #2.Identity Provider Issuer to FN’s SAML Entity Id

   3. Okta’s #3.X.509 Certificate to FN’s X509 signing certificate

6. On VMs, the Identity provider name field is available for showing in the login page

   1. Set default Network Permission for SSO users in FN (Restricted, RO, Admin)

   2. Assign a custom name to be displayed in the login page (eg. Okta, Acme). Upon completion, the SAML metadata is generated. (Cloud Users only. This case sensitive custom name has to be entered during login. This is because Forward app has multiple Orgs and it needs to differentiate)

7. On Okta, go to your application’s General settings page and update the SAML
   
   settings->Edit > Configure SAML

8. Update the SSO URL, SP Entity ID fields with correct entries from the metadata generated by FN.

   1. Copy EntityDescriptor Entity ID value from metadata file to Audience URI (SP Entity ID) in Okta

   2. Copy AssertionConsumerService Location value from metadata file to Single sign on URL  in Okta

   3. In the application you just created, go to the Assignments tab

   4. Click on the green Assign button and assign the appropriate users

   5. Login to Forward Networks Portal