Using external Okta as identity provider - Customer side



    Process overview

    Customer adds Okta Org2Org application

    This is the start of the hub-and-spoke configuration, specifically starting with the "spoke", or source Okta. The Customer, in their own Okta tenant, adds an Okta "Org2Org" application. The suggested name should be "Chemaxon Cloud" or "Chemaxon Cloud (Staging)", as appropriate.

    Users on Customer side will need to be allocated to this application in order for the integration to work. The details of this belong to the Customer's IT, but our recommendation would be to create an Okta group, assign this group to the Org2Org application, and then assign users to this group as appropriate.

    Detailed instructions

    • Open Okta Admin dashboard
    • Select Applications → Applications → Browse Catalog
    • Search for and find "Okta Org2Org", and click Add Integration

    General settings

    • Enter application label: Chemaxon Cloud or Chemaxon Cloud (environment name)
    • Base URL:
    • Application visibility: leave off
    • Click next

    Sign-on options

    • Sign-on methods: change to SAML 2.0
    • Under the SAML 2.0 box, there will be an area with the text "SAML 2.0 is not configured until you complete the setup instructions." Click the "View Setup Instructions" button.
    • The Customer does not have to follow and perform the instructions on the page that opens. There are three pre-populated fields, however, that will need to be forwarded to Chemaxon. Scroll down to the "Configure SAML Protocol Settings". From here, copy/download and forward the following pieces of information to Chemaxon:
      • IdP Issuer URI (text)
      • IdP Single Sign On URL (text)
      • IdP Signature Certificate (file)
    • Chemaxon will need to set up the the Customer's Okta as a SAML IdP with the above information, and reply with the values for "Hub ACS URL" and "Audience URI". Until then, leave these fields blank, and click "Done".

    Customer finalizes Org2Org application settings

    After receiving the required information from Chemaxon, the Customer finalizes the configuration by adding the Hub ACS URL, and the Audience URI to the Org2Org application they created earlier.

    Detailed instructions

    • Open Okta Admin dashboard
    • Find the "Chemaxon Cloud" Okta Org2Org application that was created earlier, and open its settings
    • Switch to the "Sign On" tab
    • In the "Settings" section, click "Edit"

    Advanced Sign-on Settings

    • Hub ACS URL (Assertion Consumer Service URL) - as provided by Chemaxon
    • Audience URI - as provided by Chemaxon
    • Click "Save"

    Configuration is now complete. If the configuration has also been completed on Chemaxon's side (likely), then the integration should work. It can be tested by logging in to one of the Chemaxon products in your Chemaxon Cloud tenant.