Skip to content
Luis Lopes edited this page Oct 4, 2022 · 6 revisions

Okta - MunkiReport SAML configuration

In Okta

  • Navigate to your Okta admin dashboard -> Applications -> Applications
  • Click Create App Integration
  • Select SAML 2.0 and click Next
  • Under General Settings:
    • Enter an app name, e.g. MunkiReport
    • (Optional) Add an app logo
    • Click Next
  • Under Configure SAML:
    • Single sign on (ACS) URL: https://your-munkireport-server/index.php?/auth/saml/acs
    • Audience URI (SP Entity ID): https://your-munkireport-server/index.php?/auth/saml/metadata
    • Name ID format: EmailAddress
    • Application username: Email
    • Attribute Statements: Name:email, Name format: Basic, Value: user.email
    • (Optional) Group Attribute Statements: Name:memberOf, Name format: Basic, Filter: Matches regex, Value: <eg: .*munki_admin.*>
    • Click Next
  • Under Feedback:
    • Select I'm an Okta customer adding an internal app
    • Click Finish
  • Navigate to your newly configured application in Okta
  • Select the Sign On tab
    • Under the sign on methods section and SAML 2.0, click View Setup Instructions
    • Keep this page open for the next part
  • Select the Assignments tab
    • Assign the app to your user(s) for testing

In your config (.env) file

In your MunkiReport .env file add
 the following:

AUTH_METHODS=SAML
AUTH_SAML_SP_NAME_ID_FORMAT=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
AUTH_SAML_IDP_ENTITY_ID=<Your Identity Provider Issuer>
AUTH_SAML_IDP_SSO_URL=<Your Identity Provider Single Sign-On URL>
AUTH_SAML_IDP_X509CERT=<YOUR CERTIFICATE>
AUTH_SAML_USER_ATTR=email

For AUTH_SAML_IDP_X509CERT, add it like so:

AUTH_SAML_IDP_X509CERT="-----BEGIN CERTIFICATE-----
blahblahblah
blahblahblah
-----END CERTIFICATE-----
"

If that gives you an error like docker: poorly formatted environment: variable '-----END CERTIFICATE-----' contains whitespaces, try reading the cert file contents before your docker run. Example:

certcontents=$(<certname.cert) && docker run -d --name="munkireport-php" -e AUTH_SAML_IDP_X509CERT="$certcontents" munkireport/munkireport-php:release-latest

Service Provider (SP) SAML config:
Next, visit https://your-munkireport-server/index.php?/auth/saml/metadata to retrieve information about your SP configuration. You should see a page like the following:

That's it! Once you have the application configured, you can do an IdP-initiated sign-in through your Okta web portal/browser plugin, or by using the Identity Provider Single Sign-On URL copied from the SAML Setup Instructions in Okta.

Troubleshooting

For debugging add the following line to .env:
AUTH_SAML_DEBUG=TRUE

Additionally, you can use the SAML-tracer browser plugin to see where SAML is failing.

If you are still having issues, open a ticket on the Google Groups page and someone will try to assist you.

Clone this wiki locally