Skip to main content

Okta

Follow these steps to configure Okta as your SAML identity provider for Cyberhaven authentication.

Okta Configuration

Okta Configuration Steps

  1. Login to your organization's Okta administration page. For example:

    https://cyberhaven-admin.okta.com/admin/apps/active

  2. Within the Applications page, click the “Create App Integration” button.

  3. Select SAML 2.0 as the sign-in method and click Next.

  4. Under General Settings,

    1. Enter “Cyberhaven” for the app name. As an option, you can upload a logo from the Cyberhaven Brand Media Kit .

    2. Select “Do not display application icon in the Okta Mobile app,”

    3. Click Next.

  5. On the SAML Settings page, configure the following values:

    1. Single sign-on URL: https://auth.<your-host name>.cyberhaven.io/__/auth/handler

    2. Audience URI (SP Entity ID): cyberhaven

    3. Default RelayState: Leave blank

    4. Name ID format: Unspecified

    5. Application username: Email

    6. Update application username on: Create and update

  6. Click Next.

  7. Within the newly created application, click “Sign On” and then “View Setup Instructions.”

  8. Record the values displayed for Identity Provider Single Sign-on URL, Identity Provider Issuer, and X.509 Certificate. You will need them in your Cyberhaven console.

  9. Log in to your Cyberhaven console and visit

    https://<tenant-id>.cyberhaven.io/preferences/authentication-provider

  10. Click ADD NEW and configure the values referencing your Okta configuration:

    1. For the Name field in Cyberhaven, type “Okta.”

    2. Copy/paste the Service provider entity ID from Cyberhaven (any unique ID string you create) to the Audience URI (SP Entity ID) in Okta. We recommend including your company name to keep the string unique.

    3. Copy/paste the Okta Identity Provider Single Sign-on URL into the SSO URL field in Cyberhaven.
    4. Copy/paste the Okta Identity Provider Issuer value into the Identity provider entity ID in Cyberhaven.
    5. Copy/paste the Okta X.509 Certificate into the Certificate textbox in Cyberhaven.

    6. Copy the authorization callback URL from Cyberhaven and paste it into the Single sign-on URL in Okta.

  11. Click SAVE CHANGES.

After you've configured Okta as your identity provider, follow the sign-up process described in the SSO Sign-up section.

SSO Sign-up

When a new user is invited to join the Cyberhaven console, they will receive an email invitation. Clicking the activation link will allow them to choose their desired identity provider. They can click Sign Up with Okta to establish SSO.

For existing users in the Cyberhaven console, you must reset the auth provider for each user.

  1. In the Cyberhaven console, navigate to Preferences > Users.

  2. Click on the kebab menu for each user and select Reset auth provider.

The users will receive an email invitation with a link to sign up with the identity provider and establish SSO.

NOTE

Ensure that you allow list the Cyberhaven domain cyberhaven.info to receive the email invitation.

Changing Authentication Methods for Existing Users

If you wish to change the authentication method for an existing user, you can do so by browsing to the User Management page, clicking the user in question, and clicking RESET next to Reset Authentication Method.

Validating Authentication Method

You can validate the authentication method assigned to a user, as it will be displayed next to their email address in the User Management console. The presented methods are password, google.com, or SAML.

Known issues

1. Using the Okta tile may not authenticate you to your Cyberhaven console. Instead, visit your Cyberhaven instance login page and select "Log in with Okta."

2. Just-in-time provisioning of users is not supported yet.

Troubleshooting

1. If SSO was initially misconfigured, you may need to delete and recreate users in the dashboard for the changes to take effect.

2. Errors such as "All <AudienceRestriction>s should contain the SAML RP entity ID" can be caused by a mismatch in the Service Provider Entity ID. Verify the configuration as shown in the mapping images for your provider.

3. The error "GUID values are not supported for Identifier" points to the fact that you are using a Service Provider Identity ID that is not formatted correctly. Try with a simple string such as "cyberhaven" or "saml-id". Ensure to update the string in the Cyberhaven dashboard and your SAML provider configuration page.

4. The error "Unable to process request due to missing initial state" is likely to be caused by the following two reasons.

The user is trying out an IDP-initiated login which is not

supported. For instance, using the tiles in Okta to automatically

log into Cyberhaven is not supported. Customers must open the Cyberhaven console and log in with Okta.

The browser session storage is inaccessible or accidentally

cleared. Try clearing browser cookies.

5. The error “Failed to verify the signature in SAML Response” is likely to be caused by an issue with the certificate. Verify that the certificate was correctly copied and pasted.

If you encounter any other errors, create a support ticket and include a screenshot of the configuration on your SAML provider side.

Tags:
Last updated on