Configure SAML 2.0-based SSO

To enable single sign-on (SSO) to Seeker, configure Seeker with a 3-rd party identity provider (IdP).

This task involves working in two environments simultaneously: setting up Seeker as an application in an IdP configuration, and configuring the IdP metadata in Seeker.

Note:

The following section describes how to configure Seeker with the popular Okta IdP. If you are using a different IdP, the configuration steps and field labels might be different, but the actions are essentially the same.

  1. Sign on to both Seeker and Okta as an administrator.
    Tip:

    You will need to switch between Okta and Seeker a lot, and copy and paste data. For convenience, open the Okta and Seeker browser windows side by side.

  2. In Seeker: In the main menu, click (Settings) > User Management > SAML 2.0.
In Okta, integrate Seeker as a new application
  1. Go to Applications > Add Application and click Create New App.
  2. In the subsequent wizard steps, set the following properties:
    • Sign on method: SAML 2.0
    • App name: Seeker
    • Name ID format: EmailAddress
  3. Optionally, you can enable the reuse of SAML groups in Seeker by passing group membership information in SAML response. Under GROUP ATTRIBUTE STATEMENTS, add a custom SAML response attribute that defines group membership, named, for example, GROUP_MEMBERSHIP.
  4. From the Seeker page, copy the Seeker metadata properties and paste them into the respective Okta properties:
    Okta propertySeeker property
    Audience URI (SP Entity ID) Service Provider Entity ID
    Single sign on URL SAML Assertion Consumer Service URL
  5. Finish creating the application.
In Seeker, configure the IdP metadata
  1. In the Sign on tab, click View Setup Instructions. From the page that opens, copy the properties and paste them into the respective Seeker properties:
    Seeker propertyOkta property
    Single sign-on URL Identity Provider Single Sign-On URL
    Issuer ID Identity Provider Issuer
    X.509 Certificate X.509 Certificate
    Attention: Make sure to copy the whole X.509 certificate including ----BEGIN CERTIFICATE--- and ---END CERTIFICATE----.
  2. If you have configured the SAML response attribute that defines group membership, enter its name in Group membership attribute name.
In Okta, configure user access
  1. In the Assignments tab, assign Seeker to yourself and other Okta users or groups.
  2. In Seeker, select the following options:
    OptionDescription
    Enable Automatic User Creation When enabled, if an authenticated user doesn't exist in Seeker, a new user will be created on the fly during authentication. Note that if you have configured an LDAP integration, new users will be automatically created according to the LDAP configuration regardless of this option.
    Enable Force-Authentication When enabled, the IdP will be instructed to reauthenticate a user even if the user has an existing session.
  3. Save your changes.

Test your configuration

Sign out from Seeker. In the sign-in page, click Sign in with SSO, and provide your credentials in the Okta sign-in page. If your configuration is successful, you should be authenticated and eventually redirected to the Seeker homepage.

Note:

If you want to bypass the configured SSO and sign in to Seeker as another user, you can do this by going into a private browsing mode, and providing credentials in the Seeker sign-in page.