SimpleMDM integrates with Okta using the Security Assertion Markup Language (SAML) standard. This guide will explain how to designate an Okta account as a trusted identity provider (IdP) for authenticating administrators of your SimpleMDM account.
As the Okta user interface may change, this guide has been written to provide a general process for getting up and running.
First, sign into SimpleMDM and navigate to the SAML integration screen. This is currently under Settings > Users and then the "Settings" tab. This screen provides the information that Okta will require.
- Select the option in SimpleMDM to enable SAML.
- As an Okta admin, create a new app integration under the Applications section. Select "SAML 2.0" as the Sign-in method.
- Set an app name that indicates it is for signing in to the SimpleMDM admin interface.
- When prompted for SAML settings, enter the "SAML Consumer URL" from your SimpleMDM account as the "Single sign on URL" in Okta.
- Keep the box "Use this for Recipient URL and Destination URL" checked.
- Enter the "Audience" value from your SimpleMDM account as the "Audience URI (SP Entity ID)" in Okta.
- No other settings need to be configured in Okta - continue through the screens and finish. After clicking "Finish", look under the SAML 2.0 settings and metadata details and click "More details". In the current version of Okta, This is under the "Sign On" tab for the SimpleMDM application details screen we just created.
- Locate the "Sign on URL" and copy this URL. Enter this value as the "Endpoint URL" in SimpleMDM.
- Under the "SAML Signing Certificates" section, download a SHA-1 certificate. You may need to activate the certificate (under "Actions") and/or generate a new certificate.
- Open the certificate file you just downloaded in a text editor like TextEdit and copy the full contents of the certificate. It should start with "-----BEGIN CERTIFICATE-----" and end with "-----END CERTIFICATE-----" with a long string of characters in between.
- Paste this value as the "X.509 fingerprint or certificate" in SimpleMDM.
- Okta does not currently support IdP-initiated single logout so keep this value empty within SimpleMDM.
- Set the "Initial user role" as needed. This is the role that will be assigned to new users that are created when logging in via SAML SSO.
- In the "Short name" field in SimpleMDM, enter a value. Typically a one-word company name is used like "mycompany".
- Click "Save". This will generate a URL in the "Sign in Portal URL" field. This is the URL that users will use to sign in to the admin interface.
- Once this link has been established, make sure that you have properly assigned users to the SimpleMDM app within Okta. Only users that should allowed to sign in to the SimpleMDM admin interface should be granted access to the application in Okta.
