Configuring SAML SSO using OKTA

Edit online

OKTA is an identity provider (IdP) that supports SAML; an AoC administrator can configure OKTA to provide SAML-based user authentication for Aspera on Cloud.

Enabling the trusted relationship between OKTA and AoC that allows your SAML users to log in to AoC requires that you perform a multi-step process. Assuming that you have migrated from Aspera Files to Aspera on Cloud, configure a new SAML instance for OKTA.

  • In OKTA, create a new SSO connection, entering the desired clock drift and SAML attributes.
  • In Aspera on Cloud, create a new SAML instance, using the SSO URL and SSH fingerprint or certificate generated by OKTA.
  • In OKTA, complete the configuration, using the SAML metadata generated by AoC.

Detailed procedures follow; refer also to your OKTA user documentation.

Create the SSO connection in OKTA

Edit online

In OKTA, create new SSO connection. Completing this procedure generates the following data, which are required for the configuration in Aspera on Cloud.

  • SSO URL
  • SSH fingerprint or SSH certificate, whichever you configured

In the Attribute Statements panel, configure the following:

Name Value
email user.email
given_name user.firstName
surname user.lastName

Create the new SAML instance in Aspera on Cloud

Edit online

In Aspera on Cloud, do the following:

  1. Go to Organization > Authentication > SAML > Create new.
  2. Create the new SAML instance, using the SSO URL and SSH fingerprint or certificate generated from OKTA, as described in Configuring SAML for AoC.

When you save the new SAML configuration, AoC generates the SAML metadata, which you must add to your OKTA configuration for AoC.

To find the SAML metadata, go to Organization > Authentication > SAML > your SAML instance > Profile. Scroll down to find the SAML metadata entry; copy it and return to OKTA to complete the configuration.

Enter the SAML metadata in OKTA

Edit online

In OKTA, do the following:

  1. In the AoC SSO connection, go to the Configure SAML tab.
  2. In the Single sign on URL field, enter the Callback URL for the AoC SAML configuration (called 'Location' in the AoC SAML metadata).
  3. Select the check box labeled Use this for Recipient URL and Destination URL.
  4. In the Audience URI field, enter the AoC metadata URL (called 'entity ID' in the AoC SAML metadata).
  5. In the Name ID format field, leave the entry unspecified.
  6. In the Application username field, enter the OKTA username.