Steps involved
- Create Initial application on OKTA
- Configure Forward Enterprise with the details from OKTA
- Update OKTA application with the details from Forward Enterprises
- Integrate OKTA with Active Directory KOptional]
- Assign users to the application
Step 1: Create Initial application on OKTA
- Sign in to OKTA
- Switch to “Admin” mode
- From the “Applications” menu, select “Applications” and choose “Add Application”
- Choose the type of application as “SAML 2.0”
- Enter a name for the application.
- Enter “Single sign on URL” and “Audience URI (SP Entity ID)” with temporary information. This is a “placeholder” url and will be replaced in later steps.
- Download the OKTA certificate. This is a BASE64 encoded certificate and can be opened with notepad or textedit.
- Select “I’m an Okta customer adding an internal app” and check “This is an internal app that we have created” under “App type”.
- The application has been created at OKTA. The next step is to add these URLs to the Forward Platform. Select “View Setup Instructions”.
- The new window has details that will be mapped to Forward Application. Please note that the “X.509 Certificate” is the same downloaded in the previous step. Either one can be used to configure the application.
Step 2: Configure Forward Enterprise with the details from OKTA
- Login to the Forward Application or VM and navigate to “Settings => Accounts => Single Sign-On (SSO)” and turn on the “SSO authentication”.
- Follow the instructions below to finish step 2.
| Forward Entity | OKTA Entity | Note |
| SSO redirect URL | Identity Provider Single Sign-On URL | Authentication URL at OKTA |
| X509 signing certificate | X.509 Certificate | Copy/paste entire content, from “Begin” to “End”, including the “---” characters |
| SAML entity ID | Identity Provider Issuer | Authenticator Reference |
| Identity provider name | Any relevant name to suggest the external authentication | |
| Network Permissions | Default permission when an user logs in |
- Copy the “Metadata” to be used in the next step.
Step 3: Update OKTA application with the details from Forward Enterprises
- Login in to OKTA and navigate to “Directory => Profile Editor” and click on “Profile”
- Click on the application logo on the top-right
- Navigate to the “General” tab and click on “Edit” under “SAML Settings”.
- Replace the “Single sign on URL” and “Audience URI (SP Entity ID)” with the data from Forward Enterprise “Metadata” downloaded in the previous step.
- Follow the instruction below to finish the step 3
| OKTA Entity | Forward Entity | Note |
| Single sign on URL | AssertionConsumerService, Location | Copy/Paste the value without the quotes |
| Audience URI (SP Entity ID) | EntityDescriptor, entityID | Copy/Paste the value without the quotes |
Step 4: Integrate OKTA with Active Directory
- Login to the OKTA application and navigate to “Directory => Directory Integrations” and click on “Add Directory” and select “Add Active Directory”.
- Click on “Set Up Active Directory” and download the agent.
- Install the application on any system already joined to the active directory domain.
- The following information are required to complete this step:
- Active Directory DNS domain name
- User ID and Password on the AD domain with minimal permissions, “Domain Users” nService Account]
- Okta application will run as a service with the user ID provided above. The password can be changed under services when the Service Account password is changed in the future.
- Login to Okta and navigate to “Directory => Directory Integration” and select the Active Directory domain.
- Navigate to the “Import” section and choose “Import Now”.
- Select the user and confirm assignments.
Step 5: Assign users to the application
Note: users will not be allowed to login without assignment.
- Login to OKTA and navigate to “Directory => Profile Editor” and click on “Profile”.
- Click on the application logo on the top-right.
- Navigate to the “Assignments” tab and click on “Assign”.
- Choose “Assign to People” and select the user.
Troubleshooting:
Issue #1: “404 PAGE NOT FOUND”
Error:
- “404 PAGE NOT FOUND” when you click on the OKTA login
Possible Issues:
- Ensure “SSO redirect URL” in Forward application matches “Identity Provider Single Sign-On URL” on Okta.
Issue #2: “Sorry, you can't access FWD-10 because you are not assigned this app in Okta.”
Error:
- “Sorry, you can't access FWD-10 because you are not assigned this app in Okta.”
Possible Issues:
- Ensure the user is assigned to the application.
Issue #3: “SAML validation failed. Response issuer 'http://www.okta.com/exkb17290191s1236x' doesn't match...”
Error:
- “SAML validation failed. Response issuer 'http://www.okta.com/exkb17290191s1236x' doesn't match 'http://www.okta.com/exkb17290191s1236x'.Contact your Org admin to resolve the issue.”
Possible Issues:
- Ensure that “SAML entity ID” in Forward application matches “Identity Provider Issuer”
Issue #4: “Assertion 'id20367259921980270532999002' with NotBefore condition of '2020-05-05T16:39:17.977Z' is not yet valid”
Error:
- “Assertion 'id20367259921980270532999002' with NotBefore condition of '2020-05-05T16:39:17.977Z' is not yet valid”
Possible Issues:
- Possible Clock skew. Ensure that the clock on the VM is correct. Forward VM has “VM tools” installed and will automatically sync to the hypervisor
Issue #5: “Unable to sign in” when trying to login with Active Directory user or OKTA users
Error: “Unable to sign in” when trying to login with Active Directory user or OKTA users
'
Possible Issues:
- Check if the account is activated in OKTA
From “Admin” section, navigate to “Directory => People” and ensure the user is Active under under “Status” column
