Okta SAML integration guide (Org2Org)
This guide shows how to configure Okta as a SAML single sign-on identity provider (IdP) for your Redis Cloud account.
This guide shows how to use the Org2Org application template. You can also use the Generic application template.
To learn more about Redis Cloud support for SAML, see SAML single sign-on.
Step 1: Set up your identity provider
Create the Okta SAML integration application
Create an Okta “Org2Org” SAML integration appliction.
Sign in to the Okta admin console.
From the left menu, select Applications.
Select Browse App Catalog.
Locate and select Okta Org2Org.
Once you have found the application, click “Add”.
Enter this field for the Org2Org application General Settings section and select Next:
- Application label:
- Application label:
Enter the following fields in the Sign-On Options > Attributes section:
Warning -To ensure the role mapping will not take effect, don’t skip entering
- Name Format:
appuser.redisAccountMappingin the Value field.
Next, select View Setup Instructions. A new browser window opens, providing the information needed to configure the IdP in Redis Cloud.
Scroll down to section 6 in the page, and note the following information:
- IdP Issuer URI
- IdP Single Sign-On Url
- IdP Signature Certificate: Click the link and download the certificate to your hard drive
Once you capture the information, close the window, return to the Okta admin console, and select Done.
Modify the application user profile
In the left menu, select Directory > Profile Editor, then select Redis Cloud User.
Select Add Attribute to add a custom attribute to the user profile and specify the Redis Cloud role.
Add this information for the new custom attribute:
- Data type:
- Display name:
- Variable nam:
- Attribute required:
- Group priority:
Combine values across groups
- Data type:
Once you add the attribute, it appears in the list of profile attributes.
Add a Redis Cloud icon to the application because it’s easier for users to identify the application. Select the pencil icon on the application logo and upload a Redis image using these steps:
Step 2: Create a group and assign the application
Now that our SAML IdP is configured, create an Okta group and assign the Redis Cloud application.
Create the group
Assign users to the group
Select the group, then select Assign people.
For each user you want to add to the group, highlight the user in the table and select +. You can also add all users by selecting Add all. After you add all the users to your group, select Save.
Assign application to the group
Now that your group is populated with its users, assign the SAML integration application to your group.
From the menu, select Applications > Applications > Redis Cloud. Then, select Assign to groups.
In the Redis Cloud User Group, select Assign.
Now, define the Redis account mapping string default for this group and select Save and go back. The key-value pair consists of the lowercase role name (owner, member, manager, or viewer) and your Redis Cloud Account ID found in the account settings. Select “Done”.
The mapping field is now defined as a default for each member of the group.
Editing the mapping field for the group
To modify the Redis mapping field, select the pencil icon of the Redis Cloud group in the “Redis Cloud” application screen.
You can modify the mapping field for the whole group on the edit screen that appears.
Editing the mapping field for a specific user
To override the Redis mapping field at an individual user level, select the People menu, then select the pencil icon of the person whos field you want to modify.
Set the user’s Assignment master to
Administrator to enable group policy overrides. Select Save.
The user’s Type is set to
On the screen that appears, select the pencil icon of the user to modify the Redis mapping field.
Step 3: Configure SAML support in Redis Cloud
Now that you have a test IdP server and your user group ready, configure support for SAML in Redis Cloud.
Log in to your admin console
Log in to your admin console at https://app.redislabs.com/#/login.
Activate SAML in access management
To activate SAML, you must have a local user (or social sign-on user) with the owner role. If you have the correct permissions, the Single Sign-On tab is enabled.
Add the information you saved previously in the setup form (step 1), including:
- Issuer (IdP Entity ID): Required
- IdP server URL: Required
- Assertion signing certificate: Drag and drop the file you downloaded to disk in the form text area.
Select Enable and wait a few seconds for the status to change. Then, download the service provider (SP) metadata. Save the file to your local hard disk.
Open the file in any text editor. Save the following text from the metadata:
- EntityID: Unique name of the service provider (SP)
- Location: Location of the assertion consumer service
Return to Okta, select Applications > Redis Cloud > General, then select Edit.
Update this information in Advanced Sign-on Settings.
- Hub ACS URL: Use the information that you copied for Location.
- Audience URI: Use the information that you copied for EntityID.
To use IdP-initiated SSO with identity providers, set the RelayState parameter to URL
<ID>so it matches the AssertionConsumerService Location URL ID (the content after the last forward slash “/"). To learn more about configuring service provider applications, see your identity provider’s documentation.
Return to admin console
Return to admin console and select Activate.
A popup appears, explaining that, to test the SAML connection, you need to log in with Okta credentials of the user defined in the Redis Cloud group. This user is part of the group to which you assigned the Redis Cloud application.
The Okta log-in screen appears. Enter the credentials and select Sign In.
If the test succeeds, the next screen appears. Your local account is now considered a SAML account. Going forward, to log in to admin console, select Sign in with SSO.
Enter your SAML email and select Login
You have successfully configured SAML as an identity provider.