OKTA SSO Integration

If you need to integrate OKTA SSO with AEM, you will need following things from the OKTA application-

1. IDP certificate
2. Single sign-on URL (also called IDP URL)
3. Okta Logout URL (If your application need to support logout)

OKTA Configuration

Below are the things which need to be done at OKTA side:
1. Go to Self service App for OKTA
2. Click on Register new application
3. Fill in required details. Below are few important fields which must be configured carefully-

• SAML Reciept: This is the returning URL to AEM  after successful user authentication in OKTA. This URL is generally in this format- https://youraemsitedomain.com/saml_login 
  
  It is Frequently found issue that this URL is not setup properly. So while trouble shooting validate that after successful authentication from OKTA user must return to exactly /saml_login page.  Validate this in SAML XML response too. No ending slashes or any other page. If user is not returning to /saml_login then there is an issue at OKTA side or at your web server side. In the most cases, correcting the SAML receipt URL at OKTA side fixes this issue. In worst case, check rewrite rules at your webserver if they are not screwing it up.
• SAML Audience: This is your AEM domain name. Example value- youraemsitedomain.com    Ensure no http or https or www.
• SAML Name Id: Use EmailAddress here.

AEM Configuration

Below are the key steps to configure OKTA SSO at AEM side:

1. Create certificate file
     Copy the certificate string in a text file and save it as idp_cert.cert in your local computer

2. Upload certificate in crx under path /etc/key using blow steps

• Go to crxde
• Create a node "saml" under /etc/key:

             jcr:primaryType- sling:Folder,
             idp_cert- Binary
        Save the node

• Double click on binary type for the property name "idp_cert" and upload the certificate file that was created in step 1 above.

     After step 2 - The node should look like this-

3. Now, Go to AEM admin console and navigate to: Tools > Security > Users

• Open user - "Administrator", Scroll down for Account settings
• Click on Create KeyStore, Enter a value for the password in both text boxes (Note down this password, this will be required to setup the SAML OSGi configuration)
• Click on Manage TrustStore. Click on Add Certificate from CER file
• Click on Select Certificate file, Navigate to idp_cert.cert file that you created in step 1 and uncheck Map Certificate to user
• Click on Submit.

   Screen should look like this-

   Note down the Alias Value on the left colum. This will be required to setup the SAML OSGi configuration.

4. At Tools > Security > Users

• Open user - "authentication-service", Scroll down for Account settings
• Click on Create KeyStore and provide the same password . Click OK. 

    This will initialize the Keystore and Authentication Service to use the certificate you provided earlier. On clicking manage trust store button on the same page, you can see your previously created certificate.

5. Configure Saml Authentication Service

• Go to /system/console/configMgr
• Open "SAML 2.0 Authentication Handler"
• Add required details

6. Configure the Referred filter

• On the System console configMgr, Open "Apache Sling Referrer filter"
• Add the Okta domain name e.g. "mysite.okta.com"

Other things you may need to setup this functionality is:

• Create new user group- for default user group configured in step 5
• Create CUG for the path (May be this can be skipped, as it worked for me without CUG setup)

This article is specifically articulated for OKTA integration. Refer the Adobe documentation  for integrating SSO with other SAML providers - https://helpx.adobe.com/experience-manager/using/aem63_saml.html