Using external Okta as identity provider - Chemaxon side

    Architecture

    Image

    Process overview

    Chemaxon adds Customer's Idp

    This is the start of the "hub" or target Okta configuration, i.e. Chemaxon's production Okta tenant (sometimes called "Customer Okta", but not to be confused with the Customer's own Okta tenant).

    A SAML 2.0 identity provider is created. The name given is important, as it will be seen by users on the login screen, and should be recognizable by them. Suggested name is <client company> Okta

    Following the configuration, the Hub ACS URL and audience URI are forwarded to the client, because they need to finalize their Okta Org2Org configuration with it.

    SAML IdP instructions

    • Open Chemaxon prod / Customer tenant Okta Admin dashboard
    • Select Security → Identity Providers → Add Identity Provider
    • Select SAML 2.0 IdP and click Next

    General settings

    • Name: select an appropriate name - this will be seen by the Customers. Suggested: <client company> Okta

    Authentication settings (leave defaults / blank)

    • IdP username: select idpuser.subjectNameId. (If the Customer is not using email addresses as the subject name, this may need re-configuring.)
    • Filter: leave blank in general. This could be used to limit access to this IdP by email address pattern. It is unclear if this is required or desired by clients.

    Account Link Policy

    • Must be Automatic

    JIT settings (leave defaults / blank)

    • Create a group that will store all users created via this IdP. Suggested naming convention: CXNC_PROD_<TENANT_ID>_IDP_USERS
    • Group Assignments: Assign to Specific Groups
    • Specific Groups: the group created above

    SAML Protocol Settings (leave defaults)

    • IdP Issuer URI: as provided by client
    • IdP Single Sign-On URL: as provided by client
    • IdP Signature Certificate: as provided by client
      • The file received from the Customer might have .cert extension, simply rename it to .pem and the upload should work.

    Forward URLs to Customer

    Click Finish. Once created, copy the following info and forward it to the client:

    • Assertion Consumer Service URL (Hub ACS URL)
    • Audience URI

    Chemaxon adds IdP routing rule

    This is the final action on Chemaxon's side for configuring the IdP. ln order for Okta to offer the Customer's identity provider as a login option, a Routing Rule needs to be configured.

    This routing rule states that if the user is trying to access the specific Okta application that was created above, i.e. the Terminus tenant, then the usable IdPs are "Okta" (self / Chemaxon's Customer Okta) and the Customer IdP created in step 2.

    This leads to both Chemaxon's Okta and the Customer's Okta being available on the login screen.

    Routing rule instructions

    {warning} Note / risk: these routing rules are ordered. It is quite possible for a broad rule to have a higher priority than our specific tenant-level rules, and thereby override our rules. It is also quite possible to break many routing rules by adding such an "early catch-all" rule. It is also possible to add a new routing rule at such a position (i.e. as the last one) that it will never be triggered, since it is after a "catch-all rule". The general recommendation is to add routing rules for external IdPs at the top of the list.

    • Open Chemaxon prod / Customer tenant Okta Admin dashboard
    • Select Security → Identity Providers → Routing Rules
    • Add Routing Rule
      • Rule name: CXNC_PROD_<TENANT_ID>_IDP
      • User is accessing: Any of the following applications
      • Select the CXNC_PROD_<TENANT_ID> application
      • Use this identity provider:
      • Leave Okta (to allow Chemaxon Okta to still be used)
      • Add <client company> Okta