Using external Okta as identity provider

You can use the Okta Org2Org integration to authenticate and optionally provision users from a source Okta org to a target org. The integration is installed and configured in the source org. You can use Okta Org2Org to connect multiple source orgs to a single Okta target org. This integration enables the source orgs to push users to the target org.

A common scenario where Org2Org is used is the hub-and-spoke model. In these scenarios, the spoke orgs are the source orgs and the hub org is the target org.

Source: https://help.okta.com/en-us/content/topics/provisioning/org2org/org2org-integrate.htm

Architecture

Process overview

• Chemaxon configures a new IdP
• Customer adds Okta Org2Org application
• Chemaxon adds IdP routing rule

Chemaxon adds Customer's Idp

This is the start of the "hub" or target Okta configuration, i.e. Chemaxon's production Okta tenant (sometimes called "Customer Okta", but not to be confused with the Customer's own Okta tenant).

A SAML 2.0 identity provider is created. The name given is important, as it will be seen by users on the login screen, and should be recognizable by them. Suggested name is <client company> Okta

Following the configuration, the Hub ACS URL and audience URI are forwarded to the client, because they need to finalize their Okta Org2Org configuration with it.

SAML IdP instructions

• Open Chemaxon prod / Customer tenant Okta Admin dashboard
• Select Directory → Groups → Add group
  • Create a group that will store all users created via this IdP. Suggested naming convention: CXNC_PROD_<TENANT_ID>_IDP_USERS
• Select Security → Identity Providers → Add Identity Provider
  • Select SAML 2.0 IdP and click Next
  • General settings
    • Name: select an appropriate name - this will be seen by the Customers. Suggested: <client company> Okta
  • Authentication settings
    • IdP usage: SSO Only
    • IdP username: select idpuser.subjectNameId. (If the Customer is not using email addresses as the subject name, this may need re-configuring.)
    • Match against: Okta Username
    • Filter: leave blank. (This could be used to limit access to this IdP by email address pattern if required.)
    • Account Link Policy - Must be Automatic
    • If no match is found: Create new user (JIT)
  • JIT settings
    • Profile source: Tick "Update attributes for existing users" checkbox
    • Group Assignments: Assign to Specific Groups
    • Specific Groups: the group created above named CXNC_PROD_<TENANT_ID>_IDP_USERS
  • SAML Protocol Settings
    • IdP Issuer URI: use dummy value initially and update with what the client provides later
    • IdP Single Sign-On URL: use dummy value initially and update with what the client provides later
    • IdP Signature Certificate: use dummy value initially and update with what the client provides later
      • The file received from the Customer might have .cert extension, simply rename it to .pem and the upload should work.
  • Click Finish
• Forward the URLs below to the Customer
  • Assertion Consumer Service URL (Hub ACS URL)
  • Audience URI

Customer adds Okta Org2Org application

This is the spoke part of the hub-and-spoke configuration, or in other words, source Okta. The Customer, in their own Okta tenant, adds an Okta "Org2Org" application. The suggested name should be "Chemaxon Cloud" or "Chemaxon Cloud (Staging)", as appropriate.

Users on Customer side will need to be allocated to this application in order for the integration to work. The details of this belong to the Customer's IT, but our recommendation would be to create an Okta group, assign this group to the Org2Org application, and then assign users to this group as appropriate.

SAML application instructions

• Open Okta Admin dashboard
• Select Applications → Applications → Browse Catalog
• Search for and find "Okta Org2Org", and click Add Integration

General settings

• Enter application label: Chemaxon Cloud or Chemaxon Cloud (environment name)
  • Base URL: https://okta.chemaxon.com/
• Application visibility: leave off
• Click next

Sign-on options

• Sign-on methods: change to SAML 2.0
• Under the SAML 2.0 box, there will be an area with the text "SAML 2.0 is not configured until you complete the setup instructions." Click the "View Setup Instructions" button.
• The Customer does not have to follow and perform the instructions on the page that opens. There are three pre-populated fields, however, that will need to be forwarded to Chemaxon. Scroll down to the "Configure SAML Protocol Settings". From here, copy/download and forward the following pieces of information to Chemaxon:
  • IdP Issuer URI (text)
  • IdP Single Sign On URL (text)
  • IdP Signature Certificate (file)
• Advanced Sign-on Settings
  • Hub ACS URL (Assertion Consumer Service URL) - as provided by Chemaxon
  • Audience URI - as provided by Chemaxon
• Click "Save"

Chemaxon adds IdP routing rule

This is the final action on Chemaxon's side for configuring the IdP. ln order for Okta to offer the Customer's identity provider as a login option, a Routing Rule needs to be configured.

This routing rule states that if the user is trying to access the specific Okta application that was created above, i.e. the Terminus tenant, then the usable IdPs are "Okta" (self / Chemaxon's Customer Okta) and the Customer IdP created in step 1.

This leads to both Chemaxon's Okta and the Customer's Okta being available on the login screen.

Routing rule instructions

Note / risk: these routing rules are ordered. It is quite possible for a broad rule to have a higher priority than our specific tenant-level rules, and thereby override our rules. It is also quite possible to break many routing rules by adding such an "early catch-all" rule. It is also possible to add a new routing rule at such a position (i.e. as the last one) that it will never be triggered, since it is after a "catch-all rule". The general recommendation is to add routing rules for external IdPs at the top of the list.

• Open Chemaxon prod / Customer tenant Okta Admin dashboard
• Select Security → Identity Providers → Routing Rules
• Add Routing Rule
  • Rule name: CXNC_PROD_<TENANT_ID>_IDP
  • User is accessing: Any of the following applications
    • Select the CXNC_PROD_<TENANT_ID> application
  • Use this identity provider:
    • Leave Okta (to allow Chemaxon Okta to still be used)
    • Add <client company> Okta

Configuration is now complete. If the configuration has also been completed on Chemaxon's side (likely), then the integration should work. It can be tested by logging in to one of the Chemaxon products in your Chemaxon Cloud tenant.