You can use Okta as your identity provider to authenticate users to MadKudu. MadKudu supports SAML SSO initiated by both Okta (identity provider) and MadKudu (service provider).
Prerequisites
- You have a MadKudu account with Admin permissions
- You have your MadKudu tenant number
- Your company has an existing Okta account to set up SAML SSO
- You have Admin permissions for your company's Okta account
Overview
Single sign-on allows you to log in to your company's MadKudu account using your Okta company credentials. A connection is made between Okta, the identity provider (idP), and MadKudu, the service provider (SP), to allow users to directly connect to their MadKudu account.
Once you configured your company Okta account with MadKudu, you can follow these instructions to manage users.
1. Add the MadKudu custom app to Okta
- In the Okta console, go to Applications.
- Click Create App Application.
-
Select SAML 2.0 and click Next
-
This will take you to the General Settings page.
- App Name: MadKudu
- App logo: Grab the one from our website in google images
- App visibility: unchecked
-
Click Next. This will take you to the Configure SAML page.
- Single sign-on URL: https://bongo.madkudu.com/v1/login/saml/XXXX, where XXXX is your tenant number. When you connect to app.madkudu.com you can see the tenant number in the URL
- Check Use this for Recipient URL and Destination URL
- Audience URI (SP Entity ID): https://bongo.madkudu.com/v1/login/saml/XXXX, where XXXX is your tenant number which can be provided to you by our support team if you submit a support ticket.
- Default RelayState: Leave blank.
- Name ID Format: Select EmailAddress.
- Application username: Select Okta username.
- Click Show Advanced Settings.
- Response: Choose Signed.
- Assertion Signature: Choose Unsigned.
- Signature Algorithm: Choose RSA-SHA256.
- Digest Algorithm: Choose SHA256.
- Assertion Encryption: Leave as Unencrypted.
-
Signature Certificate: download the certificate and upload it.
If you are unable to download the certificate, copy paste the text below in a text or code editor and "Save as" with a .pem extension:
-----BEGIN CERTIFICATE-----
MIIEyDCCArACFB9a34U9RppBmBVbBJ+EZWw/45rUMA0GCSqGSIb3DQEBCwUAMBox
CzAJBgNVBAYTAkZSMQswCQYDVQQDDAJDQTAeFw0yMzA5MjExNTU0MTdaFw0yNDA5
MjAxNTU0MTdaMCcxCzAJBgNVBAYTAkZSMRgwFgYDVQQDDA9tc2kubWFka3VkdS5j
b20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDH38HyzysuoiXXNEcj
BbfQmxDQY+yHOWtKmZyhw/E4OYe3J4FuWjPiOnGZk1X81JqUVXjmWq13Rr1W4aCh
kHznKgfvf1+BUKxgtKBhzbsbMgllk27jzwR5tohHyZXFpoCs9bkv1C5RC6o/ztPu
4+4+3jFfBpEeTitKyE+isSXeWnk/K56pIpZ5wun6sCAN0ifZKW9mb4VH2QX8ih2a
XoI2rucP508UBg8pEZEkjxk4xpUoEMECH+gbqxfMD3okdJBuQSkrZi2I+ySHx495
GMe33W4Up01PZL+oWy3oAeRCxH8Km/lexOCAs5AJwOul69uOBoENR5XW7LL0PMrp
r7ksFoLZzG14I0FZef6lRI5ugvcmjiPgguTra1wExVkT4Ium/P3aZD+gxogDYFFb
0DeYbd3qa7unmST473YoFktf1d/rhwSk/gARxZC65p46LMh/hpcWNcHfYkL4OCj1
dlLzin7CEEljPlL250EN/2FCYGKcnAnLRdHk8ksVIB/pPChyBMUNC3n/oY0pUqQc
JMiNRG1HO26PrHaxdDqIi2NQSouQanMWeaWiBosWBOY4n5m/YiCu9TKgBwSALdMD
1G94JcNCg+s/b2pYUsdhDImzwDiEK0IXIdbghe7WkAWwoKtwQmgz+wjQev4rqaDp
9XiI/ghSezDReBi4/Oul94X3IQIDAQABMA0GCSqGSIb3DQEBCwUAA4ICAQBSeXW2
51GYmktsGVl3cifNfHcvkt8QNquF7WLcWKxBmhKhDHohD88qzW1pfm4ztpQNe8uU
USDwzIwiknCcxbn2t5QzWE3KezWy4pqMDLGVjCbE93HStk3OqJUOn3wcaZoerRob
rxTYN2EcqmTorMj4A+3NVZNmFtS6k5kRFioMqdkcTQfEj3+fa6amAsZrjBnBMive
3wrnwQ5uTK2rol+d46RnhRWSWsB9KpOXrbq8Ns7JxPfkJHdKnncU86l7qp3bl4cy
nnHDysFbZKflFQqTcEcTNPLZzKo/SMl0l8XHOyooPbdclR9CM785pygL6hgj0ZyK
hZgo3mOUi9JDzs2TdLjCZV04d/q17ueVdUfTv2xSNAqmDkvl5Zfp0zDZowAVE45M
tU/01aOqxP/vhbvPH0jsTZfcZluuObs+TbokKNWb07IDg+AoHU90P1mUhRlzjJgp
5gfbiSoZsdDLLD9cTv1ZlGclMu0GKbxAU6TiQmA8VPilv5AW28xIo/Xdt7DA4Roa
baYv+pybUqfDM+L/Bq18epyQ5fCpvXaVAXLMKda5BmR9WTg4FpFBU59uHMMkCAQX
iqhDhO+ADuA3RBbcpc2A/CUfPbgCvhpSTTOsJDATsa5g9i3EOE/3D4XuKksqV/qe
/P0vLcls2+CDbezWY2HfxwsUFUBWcUPmjXOwQQ==
-----END CERTIFICATE----- - Enable Single Logout: Leave unchecked.
- Signed Requests: check
- Authentication context class: Choose PasswordProtectedTransport.
- Honor Force Authentication: Choose Yes.
- SAML Issuer ID: Leave blank.
- No need to configure the attribute and group attribute statements
-
Preview the SAML Assertion: You can click to preview the SAML assertion.
-
Click Next.
-
This will take you to the Okta feedback page. Enter your feedback if desired and click Next.
2. Set up Okta in the MadKudu app
Now that you have set up MadKudu in Okta, you will need to set up Okta in MadKudu for the two applications to create a trusted relationship with each other to allow communication.
You will need to provide MadKudu the Okta's Identity Provider URL automatically generated in Okta following these instructions.
In Okta
- In Okta Console, go to Applications.
- Click on the MadKudu app you have just created.
- Click the Sign On tab.
- Click View Setup Instructions to review Okta setup instructions to configure SAML 2.0 for MadKudu.
- Keep this page open, you'll need to copy the URLs and certificate and paste them in MadKudu App.
In MadKudu
-
Open a new page to go to MadKudu App (app.madkudu.com),
-
Go to Settings
-
Click on the Authentication tab
-
Select Okta in the Enforce SSO picklist
-
Paste in the form the
-
Identity Provider Single Sign-On URL
-
Identity Provider Issuer
-
X.509 Certificate
-
-
Click Save
Nice! Now MadKudu will be able to recognize your Okta account.
Now you need to assign users to the MadKudu app both in Okta and in MadKudu. Please follow both steps here