Creating a trust relationship in Okta

  1. First, log in to Okta's website and click the Admin button on the upper right corner of the screen.
  2. Next, on the upper menu, click on the first level Applications menu option. This will take you to a page which displays the applications that your organization has configured in Okta.
  3. On the Applications page click the Add Application button displayed on the upper right of the page, which will take you to a UI for adding a new application.
  4. On this page, type RightScale into the Search textbox, then click the Add button of the Okta-verified RightScale SAML application.
  5. Click Next on the General Settings tab.
  6. Click Next on the Provisioning tab.
  7. On the Assign to People tab, assign this Application to the users you want to have access to it, then click Next. If you wish to test your IdP setup at the end of this guide, you will need to add the new application your own user (the same user which is associated with your RightScale login email that has the 'enterprise_admin' role.) at this time.
  8. Select Done and you will be taken a detailed Application View page for the app you just created.
  9. Click on the Sign On tab, then click the Edit button.
  10. Enter the RelayState value you wish to send to RightScale. Refer to the RightScale SAML RelayStates page to determine a suitable value. When you have finished, click click the Save button.
  11. In the middle of the page, click the View Setup Instructions button. Keep this page open since you will need this information to continue on to Step 2: Create a Trust Relationship in RightScale.

Creating a trust relationship in RightScale

In this section, we will set up a trust relationship for Okta within RightScale. As a result, RightScale will know your identity provider's information, which permits your IdP to initiate logins.

  1. In a new tab in your browser, navigate to the account you wish to administer in RightScale.
  2. In the blue nav menu at the top of the screen, select Settings and navigate to Single Sign-on under the Enterprise section. (If you do not see this option, then you do not have the enterprise_manager role for the current account.)
  3. On the resulting page, you should see a list of existing SAML Identity Providers near the top and, above the list, you should see a New button. Click the New button.
  4. In the resulting form, enter the following values:

    Input Name Value
    Display Name Your choice, e.g. Okta
    Login Method Leave Allow RightScale-initiated SSO using a discovery hint unchecked
    SAML SSO Endpoint Enter Okta's Value 1 from the screen open in other tab
    SAML EntityID Enter Okta's Value 2 from the screen open in other tab
    SAML Signing Certificate Click the button below Okta's Value 3 in the other tab to save and upload here
  5. Click the Save button and you will be returned to the Identity Provider list page. You should see your newly created IdP in this list.

  6. Next, click the button to the right to test your IdP configuration. You should be redirected to your IdP where you can log in and complete the SSO login. If you didn't assign the application created when configuring Okta to your Okta user, then you will need to do so before completing this step.

  7. Finally, if you wish to have users provisioned via SSO then you will need to Enable authority for your new IdP over the SAML-asserted email domains.

This concludes configuration of your SAML Identity Provider in RightScale. Please continue on to Step 3: Test IdP-Initiated Single Sign-On.