Juniper Networks SSL VPN Integration Guide Introduction Overview Terms Setting Up an Authentication Server Creating a User Role Creating a User Realm Setting Up Your Sign In URL top Introduction This document describes how to integrate an Okta organization with a Juniper Instant Virtual Extranet (IVE), so that users can connect from Okta to an IVE server using SAML, and then SSO into a target application or resource. Overview Following is a brief overview of the steps required to integrate an Okta organization with a Juniper IVE: 1. An administrator must configure an IVE instance in their Okta organization. 2. Sign into IVE and configure it to accept SAML assertions from Okta. 3. Create an Authentication Server. 4. Create a User Role that maps users to a managed resource on the IVE. 5. Create a target Authentication Realm that you associate with the Target App URL/Resource. 6. Map users in your Authentication Realm to a User Role. 7. Create a target application Sign In URL that you pass to the IVE via the Okta SAML assertion target. 8. After you set up the IVE to receive SAML assertions from OKTA, you can assign the IVE instance to end users. After completing these steps, users can click an application icon on their home page and SSO to the target application (resource) managed by the IVE. Figure 1. Okta Integration Overview top
top Terms The following is a list of terms and values that are used in this guide: Authentication Server: Okta_SAML_AUTH_SERVER User Role: Okta_SSO_USER_ROLE Realm: Okta_SAML_SSO_REALM Sign In URL: Target Field of SAML assertion Target App URL: Sign in URL of desired app or resource that is managed by the IVE. top Setting Up an Authentication Server Do the following: 1. From your Okta Administrative Dashboard, select Application > New Application and enter template in the search bar. Choose the SAML 2.0 Template. See figures 2 5 below. 2. Sign into your Juniper IVE Admin Manager. 3. Create a new authentication server, and name it Okta_SAML_AUTH_SERVER. Select Authentication, click Auth Servers, select SAML server from the New drop down menu, and click New Server. 4. Complete the fields for your new authentication server: Server Name: Enter a name that can be easily identified. Source Site Inter Site Transfer Service URL: Copy and paste the post back URL from Okta SAML setup instructions. Issuer Value for Source Site: Copy and paste issuer value from Okta SAML setup instructions. User Name Template: Enter <userattr.cn> Allowed Clock Skew (minutes): Enter the difference between the IVE and Okta server. SSO Method: Select Post. Upload the certificate provided in the Okta SAML setup instructions. Make sure Enabled Signing Certificate status checking is not checked. 5. Click the Save Changes button. Figure 2. Setting Up the Application in Okta
Figure 3. Setting Up the Application in Okta
Figure 4. Setting Up the Application in Okta Figure 5. Setting Up an Authentication Server
top Creating a User Role This section describes how to create a new role to map users in the Okta_SAML_SSO_REALM. Name this role Okta_SSO_USER_ROLE. 1. Select Users > User Roles > New Role. 2. Select General, click the Overview tab, and complete the following fields: Name: Okta_SSO_USER_ROLE Description: Enter a description. Make sure the following are selected in Options: Select Session/Options. Select UI/Options. In Access Features, select Web. 3. Click the Save Changes button. Figure 6. Creating a User Role
4. On the same page, click the Web tab and select Bookmarks. 5. Create a new bookmark to the target application or resource the IVE is managing. Name this URL TARGET_APP_URL. 6. Under Type, choose a Web Resource Profile. 7. Enter a name in the Name field. Figure 7. Creating a New Bookmark
8. Staying on the same page, select General and click UI Options. 9. Under Start Page, select Custom Page. 10. In the start page URL field, enter TARGET_APP_URL. This is the sign in page URL for the target application or resource that you created in Creating a User Role. For example, https://www.yammer.com/login Make sure you check Also allow access to directories below URL. 11. Click Save. Figure 8. Setting the Start Page
top Creating a User Realm Do the following: 1. Create a new realm to associate with your Okta_SAML_AUTH_SERVER authentication server. Name the realm Okta_SAML_SSO_REALM. 2. Select Users, click User Realms,and then click New. 3. Create a new User Authentication Realm and complete the following fields: Name: Okta_SAML_SSO_REALM Description: Enter SAML SSO Realm. Authentication: Select Okta_SAML_AUTH_SERVER (created in Setting Up an Authentication Server. ) Figure 9. Creating a User Realm
4. On the same page, click the Role Mapping tab. 5. Click New Rule and complete the following fields: Rule Based on: Select Username Name: Okta_SAML_SSO_RULE Set Rule: If Username to is: * Assign these roles: Set to Okta_SSO_USER_ROLE. 6. Click Save Changes. Figure 10. Creating a New Rule
top Setting Up Your Sign In URL 1. Select Authentication and click Signing In. 2. Click New URL. 3. Edit your new Sign In URL as follows: Sign In URL: The Sign In URL is passed into the IVE from the SAML Assertion POST. Enter the Sign In URL for Okta to complete the Okta IVE configuration. Select User picks from a list of authentication realms and then select Okta_SAML_SSO_REALM. 4. Click the Save Changes button. Figure 11. Editing a Sign In URL
This step completes your integration. Your users can now authenticate using SAML from Okta to an IVE server and then SSO into the target application or resource.