This document will detail the process to configure the Deep Freeze Cloud so that users can log into the Deep Freeze Cloud site using credentials from Okta as an identity provider.
This document assumes that the person configuring Deep Freeze Cloud is familiar with Okta and has already configured the appropriate user credentials in their environment and that they have signed up for a Deep Freeze Cloud Account.
Manually create the Audience URI and Logon Domain
Configuring the Deep Freeze Cloud requires that you decide on an Audience URI and a Logon domain that will be used in the configuration of the service.
During the configuration of SAML, a logon domain will need to be selected to identify your instance of the Deep Freeze Cloud. This is an arbitrary label and can be an organization name, or some random string. Once you have selected a logon domain make note of it for future reference. For purposes of this document, we will be using CONTESCO as our logon domain.
Audience URI & ACS URL
As part of the configuration of SAML, both an Audience URI and an ACS URL will be required. These are generated based on information that you can find based on the URL that is shown when you log into the Deep Freeze Cloud;
Make note of both the sub-domain, and the language code is shown in your URL, in the example above the subdomain is www3, and the language code is EN.
To generate the Audience URI insert the subdomain, language code, and logon domain as shown below;
This makes the Audience URL for our example;
The ACS URL takes the form below;
http://<sub-domain>.deepfreeze.com/<lang-code>/saml/Acs?dn=<Login Domain name of your choice>
Making the ACS URL for the example;
Note: At this time the availability of a given logon domain cannot be checked automatically. This can be changed in the Deep Freeze Cloud console at a later stage and these URLs will be created automatically.
Configure SAML in the Okta Console
To begin login to the Okta IDP console and go to “Your Org” from the top-right menu beside your name in the Okta console IDP console.
After that click on the “Admin” option from the top and choose the Classic UI from the top left menu as shown in the figure below;
Now go to the Applications tab from the top navigation menu by clicking on it.
Click on the “Add Application” button at the left of the Applications page.
Now click on the “Create New App” button as shown in the figure below;
Now select the platform as Web and Sign on method as SAML 2.0 and click on the Create button as shown below;
Enter a name for the app and click on the Next button as shown in the figure;
On the next page enter the ACS URL as the Single sign-on URL and the Audience URI as Audience URI. The logon domain created earlier will need to be entered as the Default Relaystate. Under the NameID Format select EmailAddress and email in the Application Username as shown in the figure below;
Now scroll to ATTRIBUTE STATEMENTS and enter the following attributes as shown in the figure below;
Note: Please note that the attributes Name on the left-hand side in the Okta console must match the attributes in the Deep Freeze Cloud console.
Click on the Next button shown below.
In the next screen select the first option i.e “I'm an Okta customer adding an internal app” and click on the finish button. No need to answer the optional questions here.
Now click on the “View Setup Instruction” button as shown in the figure below;
The instruction page as shown below has sufficient information that can be used in the Deep Freeze Cloud console to configure the app.
Now log in again to the Deep Freeze Cloud server using your existing credentials for SuperAdmin users.
Go to the “USER MANAGEMENT” menu from the top right corner.
Click on the “SAML Integration” option.
At the“Identity Provider Setup” tab, use the information obtained in step #13 to add the IDP configurations. Please note "Identity Provider Single Sign-On URL" and "Identity Provider Issuer" in the Okta Setup Information Instruction page is equivalent to "IdP Login URL" and "Entity ID" respectively in the Deep Freeze Cloud console. Optionally you can create the metadata.xml page by copying the metadata from the instruction page and uploading it to the Deep Freeze Cloud console.
Now click on the Next button.
Do not modify anything at the “Attribute Mapping” tab as we are using all the default attributes for the selected tab. Click on the Next button here.
At the Settings tab, enter the Login Domain name that you chose in step #1 and select the user's role of your choice.
Click on the Save button at the top right. In case your domain name is not unique it will show an error message. Please choose a unique Login domain name again and Save it. On success, this will show the Service Provider Configuration of the Deep Freeze Cloud server for that particular Organization. Please verify the Single sign-on URL(ACS URL) and Audience URI matches with the one displayed at SAML Settings in the General tab at the Okta console. If it does not match please correct this at Okta console on the edit button as shown below;
Now click on the Next button and correct the Single sign-on URL(ACS URL) and Audience URI. And then click on the Next and then Finish button.