I am trying to configure SAML application for SSO using Okta SDK.
Using the docs online I was able to create Okta client using a token like below
import asyncio
from okta.client import Client as OktaClient
config = {‘orgUrl’: ‘<>’, ‘token’: ‘<>’}*
okta_client = OktaClient(config)
users, resp, err = await okta_client.list_users()
I am not sure how to create an SAML 2.0 application
Can I get a documentation or steps for creating an SAML application using python SDK.
GitHub page for Okta Python SDK has an example for SWA application, so I assume you can check if you can do for SAML too
I see with models we can create the Saml Application…
I need more information on how to pass the attributes and values to it for SAML SSO
In [9]: models.SamlApplication
Out[9]: okta.models.saml_application.SamlApplication
okta_client = OktaClient(config)
samlSignOn = models.SamlApplicationSettingsSignOn({
‘audience’: ‘abc.cisco.com’,
‘destination’: ‘https://abc.cisco.com:443/sp/ACS.saml2’,
‘recipient’: ‘https://abc.cisco.com:443/sp/ACS.saml2’,
‘sso_acs_url’: ‘https://abc.cisco.com:443/sp/ACS.saml2’,
‘subject_name_id_format’: ‘urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress’ })
samlAppSet = models.SamlApplicationSettings({
‘app’: samlSignOn
})
samlApp = models.SamlApplication({
‘label’: ‘abc’,
‘settings’: samlAppSet,
})
app, resp, err = await okta_client.create_application(samlApp)
This configuration is throwing error but the message is not clear
In [27]: err
Out[27]: {‘message’: ‘Okta HTTP 500 E0000009 Internal Server Error\n’}
I am getting the same result using the Go SDK. My intent is to create a custom SAML 2.0 app. Here is how we’re making the call:
appSettings := okta.NewSamlApplication()
appSettings.Label = name
appSettings.Settings = &okta.SamlApplicationSettings{
SignOn: &okta.SamlApplicationSettingsSignOn{
SsoAcsUrl: "https://" + subdomain + "." + rootDomain + "/sso/auth",
Audience: "https://" + subdomain + "." + rootDomain + "/sso/metadata",
Recipient: "https://" + subdomain + "." + rootDomain + "/sso/auth",
Destination: "https://" + subdomain + "." + rootDomain + "/sso/auth",
SubjectNameIdFormat: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
SignatureAlgorithm: "RSA_SHA256",
DigestAlgorithm: "SHA256",
ResponseSigned: newBool(true),
AssertionSigned: newBool(true),
HonorForceAuthn: newBool(true),
},
}
appSettings.Visibility = &okta.ApplicationVisibility{
Hide: &okta.ApplicationVisibilityHide{
IOS: newBool(false),
Web: newBool(false),
},
}
app, _, err := o.oktaApp.CreateApplication(context.TODO(), appSettings, nil)
if err != nil {
return nil, "", err
}
This routinely returns a 500 with no helpful info. I can, however, create one via a direct API call using PostMan (with the same payload).
I suspect we are having the same problem (though different SDKs).
HI GabreilZ, can you please share the payload which you used in POSTMAN for reference… thank you
Hi Okta Team, can any one help with proper configuration details using Okta SDK
Based on my terraform config I see few attributes missing in your call
subject_name_id_template = "$${user.userName}"
authn_context_class_ref = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
Maybe try to add it and see if it helps
@pradvara Here is the payload in Postman:
{
"label": "My SAML App",
"visibility": {
"hide": {
"iOS": false,
"web": false
}
},
"settings": {
"signOn": {
"ssoAcsUrl": "http://example.okta.com",
"audience": "https://example.com/tenant/123",
"recipient": "http://recipient.okta.com",
"destination": "http://destination.okta.com",
"subjectNameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
"responseSigned": true,
"assertionSigned": true,
"signatureAlgorithm": "RSA_SHA256",
"digestAlgorithm": "SHA256",
"honorForceAuthn": true
}
},
"signOnMode": "SAML_2_0"
}
I still get a 500 with those additions.
Thank you Gabriel for the information
The following worked for me if it helps using golang.
appSettings := okta.NewSamlApplication()
appSettings.Label = label
appSettings.Settings = &okta.SamlApplicationSettings{
SignOn: &okta.SamlApplicationSettingsSignOn{
DefaultRelayState: "",
SsoAcsUrl: ssourl,
Recipient: recipient,
Destination: destination,
Audience: audience,
// IdpIssuer: d.Get("idp_issuer").(string),
SubjectNameIdTemplate: subjectNameIDTemplate,
SubjectNameIdFormat: subjectNameIDFormat,
ResponseSigned: &responseSigned,
AssertionSigned: &assertionSigned,
SignatureAlgorithm: signatureAlgorithm,
DigestAlgorithm: digestAlgorithm,
HonorForceAuthn: &honorForceAuthn,
AuthnContextClassRef: authnContextClassRef,
},
}
appSettings.Visibility = &okta.ApplicationVisibility{
AutoSubmitToolbar: &autoSubmit,
Hide: &okta.ApplicationVisibilityHide{
IOS: &hideMobile,
Web: &hideWeb,
},
}
samlAttr := make([]*okta.SamlAttributeStatement, 2)
samlAttr[0] = &okta.SamlAttributeStatement{
Name: "Name",
Namespace: "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified",
Type: "EXPRESSION",
Values: []string{"user.firstName"},
}
samlAttr[3] = &okta.SamlAttributeStatement{
Name: "groups",
Namespace: "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified",
Type: "GROUP",
FilterType: "REGEX",
FilterValue: ".*",
}
appSettings.Settings.SignOn.AttributeStatements = samlAttr
application, _, err := client.Application.CreateApplication(ctx, appSettings, nil)
newApp := application.(*okta.SamlApplication)
if err != nil {
fmt.Println("bad", err)
} else {
fmt.Println(newApp.Label + " app created")
}
also make sure your client auth is correct otherwise you will get panic: runtime error: invalid memory address or nil pointer dereference
Thank you Bloke… will check…
Thanks, @Bloke! That did work. I think it was likely the attribute statements. That can be empty, but must be defined.
So I have it as:
samlAttr := make([]*okta.SamlAttributeStatement, 0)
Glad it worked out. Yes in my experience with okta saml so far: everything must be defined, even when trying to modify an app you need to pass everything. Have fun.