Supported Features
The Okta/CardinalOps SAML integration currently supports the following features:
- IdP-initiated SSO
- SP-initiated SSO
- JIT (Just-In-Time) Provisioning
Please request assistance from the CardinalOps team if you need.
1. Enable SSO in Okta Portal
Add CardinalOps application from Okta App Integration Catalog.
Select the Sign On tab for the CardinalOps SAML application, then click Edit.
- Under Advanced Sign-on Settings
- enter your Account Name into the corresponding field.
- enter your Region into the corresponding field:
- If you are on US based region enter us
- if you are on EU based region enter eu
- if you are on CA based region enter ca
- Under Credentials Details, Application username format: Select Email.
- Click Save.
Note: The value for “Account Name” corresponds to the string used in the Account field on the CardinalOps login page, and it should be all lowercase.
2. Enable SSO in the CardinalOps portal
The option to enable SSO is available within the CardinalOps portal in the menu available in the upper right-hand corner where the username appears. Click on the round user icon (head and shoulders in a circle) and select “Account Information” from the menu that appears. In the “Account Information” dialog box that appears, tick the checkbox for Enable SSO and then select the "Okta" radio button from the options displayed.
|
Caution: Before proceeding, ensure this change is acceptable to applicable stakeholders. In case of unsuccessful configuration or other situations where SSO needs to be deactivated, please contact CardinalOps to deactivate the SSO service and return to username / password login. |
3. Add SSO configuration information in the CardinalOps portal
Use SAML signing certificate and application configuration details to complete the following fields, then click the Save button.
| Field name | Value |
|---|---|
| SAML Endpoint | Populate with the “Sign on URL” value |
| Issuer | Populate with the “Issuer” value |
| X.509 Certificate | Populate with the "Signing Certificate" value |
| SAML AuthnContext (Optional) |
This is an optional input; any values affect the SAML request AuthnContext. This field will accept a single value or a series of values separated by commas. The default value (if left blank / not changed) is as follows: |
| Disable SAML AuthnContext (Optional) | This is an optional checkbox; When enabled, the system skips SAML AuthnContext verification, useful if the identity provider does not include or support this assertion. See the note section below. |
| Just-in-Time User Provisioning (Optional) |
This is an optional checkbox; When enabled, users are automatically provisioned upon their first login, no manual user setup required. Note: JIT provisioning occurs only at first login. If user attributes are later changed in Okta, those changes will not be updated in the CardinalOps portal automatically. |
Note: The conventional use of Authentication Context as a part of a standard assertion can vary widely from one enterprise to another. The presence (or lack) of class references in this field can explicitly allow (or prevent) the use of various means of authentication (IP address, password, Kerberos, Public Key, Passwordless Phone Signin, etc.)
If corporate policy is that Authentication Context needs to be specified, enter the OASIS-compliant class reference in the AuthnContext field. If this is not required or AuthnContext is preventing routine user login, place a check mark in the available field (“Disable SAML AuthnContext”) to bypass this assertion check:
4. SP-initiated SSO
- Go to CardinalOps portal
- Click on Sign in with Okta
- Enter your Account
- Enter you User Name
- Click Login
Comments
0 comments
Article is closed for comments.