Configuring Okta is relatively straightforward.
Please keep in mind that the following instructions are given as an example, and may differ from what is required in your particular situation.
Once you connect to your Okta administration portal, go to the Applications page:
- Select Add Application.
Select Create New App.
Create a new web-based SAML 2.0 Application.
Give your new application a name.
Enter the SAML settings.
Single Sign on URL: https://YOUR SITE URL/saml/saml_login_response
Audience URI: https://YOUR SITE URL/saml/metadata
Enter the SAML Attributes.
The values you decide to use will be dependant on your organization.
Please note that in this example we hard-code
truefor access as we control the availability of the Application elsewhere. We have also decided to add the groups attribute, which we populate with the list of group memberships from either Admin, Artist, or Manager. The user must be part of only one group.
Finish the configuration.
Proceed with the rest of the Okta configuration to determine access to the application and ensure that the proper attributes are sent. This will depend on your organization and how you have decided to set the values for the attributes.
Provide the SSO configuration to your Shotgun Administrators. Click on the View Setup Instructions and provide the informations shown:
SAML 2.0 Endpoint (HTTPS): Identity Provider Single Sign-On URL
Identity Provider Issuer: Identity Provider Issuer
Public Certificate: X.509 Certificate
If instead you download the metadata, you will need to extract:
SAML 2.0 Endpoint (HTTPS): SingleSignOnService Binding Location
Identity Provider Issuer: EntityDescriptor entityID
Public Certificate: X509Certificate
Important note regarding claims renewal
WARNING: The following information is only relevant for Shotgun versions older than 188.8.131.5225.
Shotgun will periodically need to renew the user's claims. To achieve this, Shotgun will connect to the IdP server using an iframe not visible to users. The default configuration of Okta will no permit embedding into an iframe.
There are 2 possible solutions here:
- Configure your Okta server to allow iframe embedding. This is a system-wide option, which can be found in the Admin section, under the 'Settings -> Customization -> General' page.
- Configure Shotgun to use an external pop-up window to renew the user's claims. This can be achieved by adding:
to the SSO Configuration (YAML format), under the SAML Authentication section of the Site Preference page.