Below is an example of how to configure dotCMS to authenticate and authorize dotCMS users with Okta using SAML. It requires a number of custom attributes to be set in order to successfully connect, authenticate and also sync roles from Okta to dotCMS.
Example Custom Attributes Required for dotCMS and Okta SAML
Below are a list of custom attributes from a working OKTA installation. The value containing “ClientDomain” should obviously be replaced with correct values for the Okta endpoint and the dotCMS server location. If you are cutting and pasting, please make sure not to include leading or trailing spaces in the values.
| Key | Value |
|---|---|
| attribute.email.name | |
| attribute.firstname.name | firstName |
| attribute.lastname.name | lastName |
| logout.okta.url | https://clientDomain.okta.com/login/signout |
| logout.protocol.binding | Http-Okta |
| logout.service.endpoint.url | https://clientDomain.com/dotAdmin/show-logout |
| nameidpolicy.format | urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified |
| protocol.binding | urn:oasis:names:tc:SAML:2.0:bindings:HTTP-REDIRECT |
| remove.roles.prefix | iam_dotcms_ |
| renew.session | false |
| verify.signature.credentials | false |
Example IDP Metadata file
A redacted example metadata file for Okta
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://www.okta.com/clientIdNumber">
<md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://clientDomain.okta.com/app/clientDomain_appId_1/clientIdNumber/slo/saml"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://clientDomain.okta.com/app/clientDomain_appId_1/clientIdNumber/slo/saml"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://clientDomain.okta.com/app/clientDomain_appId_1/clientIdNumber/sso/saml"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://clientDomain.okta.com/app/clientDomain_appId_1/clientIdNumber/sso/saml"/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>
