Summary
This article covers how to set Up SSO integration via SAML:
Step 1: Set up Google as a SAML identity provider (IdP)
- In your Google Admin console (at admin.google.com), go to “Apps” > “Web and mobile apps”.
- Click “Add app” > “Search for apps”.
- Click on “Add custom SAML app”.
- Write “Opster” in the App name field.
- Download the Opster.png image, then click on the app icon and select the image you have just downloaded to set this as the app icon.
- Click “Continue”.
- On the Google Identity Provider details page, download the IDP metadata and continue to the next step.
- On the Service provider details page, set:
- ACS URL as: https://api.opster.io/login/sso/saml/init
- Entity ID as: https://raw.githubusercontent.com/opster/opster-k8s/master/metadata.xml
- Check the “Signed response” checkbox.
- Enter EMAIL in the “Name ID format” field and click “Continue”.
- On the Attribute Mapping page, map Google directory attributes to corresponding application attributes:
- Click “Add Mapping”.
- Click the “Select field” menu and select “First name” as the Google directory attribute and the “displayname” as the app attribute.
- Click the “Select field” menu and select “Primary email” as the Google directory attribute and the “emailaddress” as the app attribute.
- (Optional) If you want to send a user’s group membership information in the SAML response, enter the group names that are relevant for this app in the Group membership field.
- Under Google groups, click in the Search for a group entry field.
- Type one or more letters of the group name.
- Choose the group name from the dropdown list.
- Add additional groups as needed (total groups cannot exceed 75).
- Under App attribute, enter the service provider’s corresponding groups attribute name.
- Note: Regardless of how many group names you enter, the SAML response will only include groups that a user is a member of (directly or indirectly). For more information, see About group membership mapping.
- On the Attribute mapping page, click “Finish”.
Step 2: Set up Opster as a SAML 2.0 service provider (SP)
- Open a new incognito browser window.
- Sign in to Opster.
- Navigate to Settings -> Account
- Under the SAML section:
- Click on the “+” sign to create a new integration.
- Select “Google” as the vendor name.
- Click “Browse” to upload the IdP Metadata file you have downloaded in Step 1 above and click “Save”.
Step 3: Enable Opster app
- In your Google Admin console (at admin.google.com), go to Apps > Web and mobile apps.
- Select the Opster SAML app.
- Click “User access”.
- To turn service on or off for everyone in your organization, click “On for everyone” or “Off for everyone”, and then click “Save”.
- (Optional) To turn a service on or off for an organizational unit:
- On the left, select the organizational unit.
- To change the Service status, select “On” or “Off”.
- Choose one:
- If the Service status is set to Inherited and you want to keep the updated setting, even if the parent setting changes, click “Override”.
- If the Service status is set to Overridden, either click “Inherit” to revert to the same setting as its parent, or click “Save” to keep the new setting, even if the parent setting changes.
Note: Learn more about organizational structure.
- (Optional) Turn on the service for a group of users.
Use access groups to turn on a service for specific users within or across your organizational units. Learn more - Ensure that your Opster user account email IDs match those in your Google domain.
Step 4: Verify that the SSO is working
Opster supports Identity Provider (IdP) initiated SSO.
Follow these steps to verify SSO in either mode:
IdP-initiated
- In your Google Admin console (at admin.google.com), go to Apps > Web and mobile apps.
- Select Opster SAML.
- At the top left, click Test SAML login.
Opster should open in a separate tab. If it doesn’t, use the information in the resulting SAML error messages to update your IdP and SP settings as needed, then retest SAML login.
Okta
Step 1: Set up Okta as a SAML identity provider (IdP)
- Sign in to your Okta tenant as an administrator.
- Navigate to Applications > Applications.
- Click “Create App Integration”.
- In the Create a new app integration dialog, choose SAML 2.0 and click “Next”.
- Enter Opster as the App name.
- Download the Opster.png image and set it as the app icon.
- In the Configure SAML step, in the SAML Settings section, enter values for:
- Single sign on URL -> https://api.opster.io/login/sso/saml/init
- Audience URI -> ${org.externalKey}
- Select “EmailAddress” on “Name ID format” dropdown.
- On the “Attribute Statements” add 2 attributes:
- Name -> displayname, Name format -> Basic, Value -> user.firstName
- Name -> emailaddress, Name format -> Basic, Value -> user.email
- Click “Next”.
- On the last page, select “I’m an Okta customer adding an internal app”, and click “Finish”.
- Navigate to Applications > Applications.
- Click on the name of the newly added application.
- Select the “Sign On” tab.
- On the right side of the page, click on the “View SAML setup instructions” link under the SAML Setup section.
- The SAML info should open in a separate tab. On the bottom of the page there will be the textbox IDP metadata value, you can copy and save it to a file named OKTAIDPMetadata.xml.
Step 2: Set up Opster as a SAML 2.0 service provider (SP)
- Open a new incognito browser window.
- Sign in to Opster.
- Navigate to Settings -> Account
- Under the SAML section:
- Click on the “+” sign to create a new integration.
- Select “OKTA” as the vendor name.
- Click “Browse” to upload the IdP Metadata file you downloaded in Step 1 above and click “Save”.
Step 3: Verify that the SSO is working
Follow these steps to verify SSO.
IdP-initiated
- In your Okta tenant.
- Go to Applications > Applications.
- Select the “Opster SAML App”.
- Select the “Assignments” tab.
- Click on the Assign dropdown and click on “Assign to People”.
- Assign a non-admin user and click “Done”.
- Open an incognito tab and log in to OKTA with the user you assigned on the previous step.
- Click on the Opster app.
- Opster should open in a separate tab.
Azure
Step 1: Set up Azure as a SAML identity provider (IdP)
- In your admin console (https://portal.azure.com/), go to “Azure Active Directory”.
- Select “Enterprise Applications” from the sidebar.
- Click “New Application”, then click “Create your own application”.
- Enter ״Opster״ in the App name field.
- Choose “Integrate any other application you don’t find in the gallery (Non-gallery)”, and click “Create”.
- Download the Opster.png image to your computer.
- Select “Properties” from the sidebar and on the Logo section click on “Select a file”, select the Opster.png image and click “Save”.
- Click “Single sign on” from the sidebar, choose “SAML” and click “Edit” on the “Basic SAML Configuration” section.
- Click on “Add Identifier” and provide value (it MUST be unique UUID and MUST start with “id”. For example: id8b964454-4b73-4416-8e86-68ecfc1d65f5).
- Add a reply URL: https://api.opster.io/login/sso/saml/init
- Add logout URL: https://api.opster.io/logout
- Click save.
- Click “User and Groups” and select “add user/group”. After selecting your desired users and groups, click “Assign”.
- Select “Single Sign-on” from the sidebar.
- Copy the value of EntityId.
- Copy the value of Microsoft Entra Identifier.
Step 2: Set up Opster as a SAML 2.0 service provider (SP)
- Open a new incognito window in your browser.
- Sign in to Opster..
- Navigate to Settings -> Account.
- Under the SAML section:
- Click on the “+” sign to create a new integration.
- Select “Azure” as the vendor name.
- Paste the Microsoft Entra Identifier you copied into the form as Iss.
- Paste the EntityId you copied into the form as EntityId.
- Put https://autoops.opster.com/login/sso/saml in the form as Redirect URL and click “Save”.
Step 3: Verify that the SSO is working
- Go to section #5 and click on the “Test” button.
- On the right popup, click on the “Test sign in” button.
- Select the user that you have assigned on the app config.
- Verify that you are logged in to Opster and see the AutoOps dashboard.
Jump Cloud
Step 1: Set up Jump Cloud as a SAML identity provider (IdP)
- In your console (https://console.jumpcloud.com) using the admin user select SSO on the sidebar.
- Click on the “+” sign and then click on the “Custom SAML App” button in order to create a new app.
- Enter ״Opster״ in the “Display Label” field.
- Download the Opster.png image to your computer.
- Click on “Logo” from the “display Option” section.
- Click on “replace logo” and select the Opster.png you have downloaded.
- Click on the SSO tab.
- Set the following fields:
- Idp Entity ID:
- Generate unique value (“Id” + UUID f.e. id8b964454-4b73-4416-8e86-68ecfc1d65f5).
- Set the field as https://sso.jumpcloud.com/saml2/id8b964454-4b73-4416-8e86-68ecfc1d65f5
- SP Entity ID – Provide the same UUID value only starting with sp instead of id f.e (sp8b964454-4b73-4416-8e86-68ecfc1d65f5).
- ACS URL – https://api.opster.io/login/sso/saml/init
- Check the “Sign Assertion” checkbox.
- SAMLSubject NameID – Select “email” from the drop down.
- IDP URL – Set the Idp Entity ID at the end (instead of the second saml2) f.e
https://sso.jumpcloud.com/saml2/id8b964454-4b73-4416-8e86-68ecfc1d65f5. - On the “USER ATTRIBUTE MAPPING” add 2 attributes using the “add attribute” button:
- Service Provider Attribute Name -> displayname, jumpCloud Attribute Name -> firstName
- Service Provider Attribute Name -> emailaddress, jumpCloud Attribute Name -> email
- Idp Entity ID:
- Copy the Idp Entity ID and the SP Entity ID.
- Go to “User Groups” tab.
- Check the “All users” check box and click “activate”.
- Go to “User Groups” and click on the “All Users” group.
- Add a non admin user to the group and click “Save”.
Step 2: Set up Opster as a SAML 2.0 service provider (SP)
- Open a new incognito window in your browser.
- Sign in to Opster.
- Navigate to Settings -> Account.
- Under the SAML section:
- Click on the “+” sign to create a new integration.
- Select “Jump Cloud” as the vendor name.
- Paste the Idp Entity ID you copied into the form as Iss.
- Paste the SP Entity ID you copied into the form as EntityId.
- Put https://autoops.opster.com/login/sso/saml in the form as Redirect URL and click “Save”.
Step 3: Verify that the SSO is working
- Login as the non-admin user.
- On the Applications dashboard, click on the “Opster” app.
- Verify that you are logged in to Opster and see the dashboard.
One Login
Step 1: Set up One Login as a SAML identity provider (IdP)
- Sign In to your “One Login” as admin and go to the applications page.
- Click “Add App”.
- Search for “SAML” in the “Find Applications” section. Select “SAML Custom Connector (Advanced)” from the search results.
- Enter “Opster” as the Display Name.
- Download the Opster.png image and set it as the app icon for both Rectangular and Square Icons.
- Click on “Configuration” from the menu located on the left side of the screen.
- Generate UUID version 4 and set it as the “Audience (EntityID)” value (For example: 9537b475-781c-4c85-8437-d3cdc79efc87).
- Set “ACS (Consumer) URL Validator” as .*api.opster.io*.
- Set “ACS (Consumer) URL” as “https://api.opster.io/login/sso/saml/init”.
- Click “Parameters” from the menu located on the left side of the screen.
- Click on the “+” sign located on the right side of the screen.
- Set “displayname” as the “Name” field.
- Under “Flags” check the “Include in SAML assertion” checkbox and click “Save”.
- The pop-up will display the “Value” drop down, select the “First Name” and click “Save”.
- Click on the “+” sign located on the right side of the screen.
- Set “emailaddress” as the “Name” field.
- Under “Flags” check the “Include in SAML assertion” checkbox and click “Save”.
- The pop-up will display the “Value” drop down, select “Email” and click “Save”.
- Click “Save” on the upper right side of the screen.
- Make sure you see the new application on the Applications page.
- Click on the “Opster” app.
- Click on “More Actions” on the right side of the screen and select the “SAML Metadata” option. (This will download the metadata file to your computer).
Step 2: Set up Opster as a SAML 2.0 service provider (SP)
- Open a new incognito browser window.
- Sign in to Opster.
- Navigate to Settings -> Account
- Under the SAML section:
- Click on the “+” sign to create a new integration.
- Select “One Login” as the vendor name.
- Click “Browse” to upload the IdP Metadata file you downloaded in Step 1 above and click “Save”.
Step 3: Verify that the SSO is working
Follow these steps to verify SSO.
IdP-initiated
- On your One Login dashboard click on “Users”.
- Click on the non-admin user that you have in the system (If you don’t have such a user, create one).
- Click on “Application” from the menu located on the left side of the screen.
- Click on the “+” sign located on the right side of the screen.
- On the popup menu, select the Opster application and click “Continue” and then click “Save”.