Okta Example - Create an Application

You need to create an application that Okta will be doing authentication on behalf of.

Note: You must know the addresses of your Lighthouses before creating the application.

  1. In the Okta web console go to Applications - > Applications.

    1. Click Create App Integration.

    2. Select SAML 2.0.

  2. Give the application a name: for example, Lighthouse and click Next.

  3. For the Single sign on URL enter: https://{main lighthouse address}/api/v3.7/sessions/saml/sso/okta

    1. Select: Use this for Recipient URL and Destination URL

    2. Fill out the Other Requestable SSO URLs with the SSO URLs for every Lighthouse address that you want to be able to sign in with, that is, IP addresses and DNS address for both your primary and secondary Lighthouses.

      Example:
      https://{main lighthouse ip}/api/v3.7/sessions/saml/sso/okta
      https://{secondary lighthouse address}/api/v3.7/sessions/saml/sso/okta
      https://{secondary lighthouse ip}/api/v3.7/sessions/saml/sso/okta

  4. For the Audience URI (SP Entity ID) enter lighthouse-okta

  5. Set Name ID format to email.

  6. Set to email.

  7. There are many ways you could configure Okta to populate the LH_Groups attribute, our recommended way is to populate it from and manage it via the user’s Okta groups:

    1. Add a Group Attribute Statement:

      1. Name: LH_Groups.

      2. Name Format: Basic.

      3. Filter: Matches Regex .*

  8. Click Next and finish.

IdP Metadata

  1. Open your Okta application.

  2. Go to More Actions > SAML Metadata. This is the metadata xml file that you will need to configure lighthouse.

Configure Lighthouse

  1. Copy the Identity Provider metadata XML to your primary Lighthouse.

  2. Using saml-idp-metadata on your primary Lighthouse, configure each of your Lighthouses to use your IdP.

For example:

saml-idp-metadata -p {root password} creaUser groupste -m /path/to/okta_metadata.xml -P okta -n "My Okta display name" -l {LH id number}

Groups setup

After this initial setup, you will be able to login as a SAML user.

If you do not already have your own setup in Lighthouse:

  1. Login to Lighthouse as a local user (or any non-SAML user) i.e. root.

  2. Create the User groups with the Roles and permission that you desire.

  3. In Okta go to Directory > Groups.

  4. Click Add Group.

  5. Enter the Group name that matches a Group name on lighthouse.

  6. Open your new group.

  7. Go to Manage Apps.

  8. Search for your lighthouse app and click Assign.

  9. Click Done.

  10. Go to Manage People.

  11. Search for and click on the users you wish to add to the group.

The assigned users are now able to login to Lighthouse with the permission levels which that group grants them.