SAML with Okta (US)
Guide to Configuring SSO Using SAML and Okta for clients on Synap's US infrastructure
Last updated
Guide to Configuring SSO Using SAML and Okta for clients on Synap's US infrastructure
Last updated
Select SAML from the Authentication method drop down when setting up a new configuration for SSO
US Infrastructure is a Synap Enterprise only feature, please note if you are based in the US you are not automatically moved to US infrastructure. You will need to follow the SAML EU specific steps and use the links referenced.
You will need to go to the SP Metadata URL to get a crt file that Okta needs this is stored at https://use1.prod.api.synap.ac/external-auth/saml/meta.xml, it will require some formatting but its a public certificate that is the same for everyone, a pre formatted version is below.
If you haven't already, create an Okta account (https://www.okta.com). From your Okta account and Applications, create a new app integration, select SAML 2.0
Continue to configure to the SAML, select show advanced options settings and plug in the following information:
Single sign-on URL = https://use1.prod.api.synap.ac/external-auth/saml/authenticate
Use for Recipient URL and Destination URL
Recipient URL = https://use1.prod.api.synap.ac/external-auth/saml/authenticate
Destination URL = https://use1.prod.api.synap.ac/external-auth/saml/authenticate
Audience URI (SP Entity ID) = https://api.synap.ac/
Assertion Encryption = Encrypted
Encryption Certificate = (attached crt file)
Attribute statements: (name โ value)
first_name โ user.firstName (unspecified)
last_name โ user.lastName (unspecified)
email โ user.email (unspecified)
Once done click next, we recommend โIโm a software vendorโ to avoid some onboarding materials, however it's up to you, once done click finished.
You will now need to put some information back into Synap. Go back to Synap and fill in the following
From the Sign On tab
Metadata URL โ IdP Metadata URL*
Expand for more details
Sign on URL โ IdP SSO Login URL*
Save on Synap once youโre happy, and enable your new configuration
To test youโll need to make a user in Okta, go back to Okta >Directory>People> add person. Use a name, email for a test user, setting a password makes it easier if it is not a real user. Once done save (you may need to refresh for them to appear on the list).
Note, you don't need to use a real email to test!
Add this user to the right application on Okta (optional turn off 2fa)
Now the user login is ready to test the login on Synap, go back to your portal either logged out as an admin or on an incognito window.
From the login page you'll see the option to 'Login with SSO' this text can be modified in the SSO settings and the Login standard way button can be removed by disabling local login on Settings>Authentication, this will mean users have to login via SSO. Once clicked the user will be temporarily redirected to the Okta login page, once they've logged in they will also be logged into Synap. The password used on Okta is may be different to the password they have on Synap