Cloud SAML Federation with Okta Identity Provider
Business Problem
You need to handle user login to the CloudSuite Portal and want to use your Corporate user account credentials for authentication into the CloudSuite and assist with account management and setup. You want to integrate with Okta’s Identity Provider to achieve the Single Sign On and corporate user management.
Components
Requirements
- Access to an Infor CloudSuite
- User privileges for Infor Federated Service (IFS) User Management with the following roles:
- Optional Campus courses:
- Infor OS: Identity and Access Management Fundamentals Workshop
Tutorial
The Infor Cloud (inforSTS or Infor Security Token Service) can be federated with Okta’s identity Provider to give access to corporate user accounts and enable Single Sign On (SSO) capabilities when accessing the Infor Cloud Portal and enterprise applications. Infor supports SAML 2.0 and Open ID Connect (OIDC) Okta’s Identity Provider federations. Note: For the Open ID Connection federation Okta’s identity provider needs to be externally accessible. The Cloud portal supports automated user provisioning through the SCIM (System for Cross-domain Management) interface and the Okta’s identity provider is SCIM compatible.
IFS Federated Security and the Federation Hub handles the Cloud’s Federation between Cloud Portal and Okta’s Identity Provider.
Okta SAML Federation with Infor CloudSuite
Here are a few documents on configuring the Okta SAML Federation with Infor CloudSuite.
- Prerequisites and basic parameters
- Exporting Infor CloudSuite Metadata
- Adding Infor CloudSuite to Okta
- Adding Okta configuration to Infor CloudSuite
- Okta user provisioning to Infor CloudSuite
- Okta group provisioning to Infor CloudSuite
- Enabling Okta as IDP in Infor CloudSuite
- Testing
Okta OIDC Federation with Infor CloudSuite
Here are a few documents on configuring the Okta OIDC Federation with Infor CloudSuite
- Prerequisites and basic parameters
- Exporting the Infor CloudSuite Callback URL
- Adding Infor CloudSuite to Okta
- Adding Okta configuration to Infor CloudSuite
- Enabling Okta as IDP in Infor CloudSuite
- Testing
Federated Security Configuration
The Federated Security Configuration page has these settings:
This video provides instructions on the Infor CloudSuite portal to the Okta SAML federation:
Familiarize yourself with the Infor Security Federation page and the Okta Federation setup procedures.
You should now be able to perform the authentication setup and federation between the CloudSuite portal and the Okta Identity provider (IdP).
Best Practices
CloudSuite to the Okta Identity Provider setup through a SAML Federated Connection
- Authentication to Infor CloudSuite solutions is accomplished by establishing a federation trust between Infor CloudSuite and a customer’s Identity Provider (e.g. Okta).
- Supports SAML 2.0 or OpenlD connect.
- If using Okta’s OpenlD connect federation, the identity provider has to externally accessible.
- If you have multiple authentication sources, you can have up to 5 identity providers federated to a single lnfor CloudSuite tenant
- Infor supports ldP and SP initiated SSO and SLO.
Important deployment considerations when federating CloudSuite to the Okta Identity Provider.
- If SCIM is not initially available, user provisioning can be handled manually or by file import or by enabling JIT on the federated connections.
- Custom SCIM mappings may be required and based on the Okta’s application user attribute requirements.
- MFA requirements for users authenticating via the Okta federated connection will need to be configured on the Okta identity provider configuration.
- lnfor cloud identity accounts can be leveraged for guest or Admin users that do not exist within customers Okta IdP system.