Configuring SSO via the Enhanced Web Interface: Okta

2024-05-31

Version 1.0

Single Sign On allows Users to easily log in to all their applications with the same credentials. Eagle Eye Networks supports the use of SSO applications for the creation of accounts and the management of access. This document will detail how to set this up for Google and Microsoft Users.

1. Log in to the Enhanced Web Interface.

• User must be an Administrator to set up this functionality.

2. Click Admin.

3. Select Account Settings.

4. Click Identity Provider.

From here you can set up any of the SSO integrations you need. This document will cover Google and Microsoft.

Enable Okta as the IDP

Okta: Select this option if you want to configure Okta authentication.

Prerequisites

• Create an account in Okta if you do not already have one.

• Obtain your Eagle Eye account ID.

Obtaining a redirectUri from Okta

1. Open your Okta administrator dashboard and select Applications > Applications from the left navigation menu. Click Create App Integration.

2. On the Create a New App Integration screen, select OIDC for Sign-in Method and Web Application for Application Type. Click Next.

3. On the New Web App Integration screen, enter the name for your app integration name and the URL for Sign-in redirect URIs. 

To get the redirect URI, call: {baseURL}/api/v3.0/accounts/self/ssoAuthSettings?include=ssoOidcIdpConfigUrls 

Example baseURL: api.c013.eagleeyenetworks.com

This call returns the redirectUri for your account.

4. The Application Integration Information appears on the next screen. The Client ID and Client Secret Information needed for configuring the VMS Cloud are found here.

5. On the Assignments tab, choose the people who can use this login option for the Cloud VMS.

6. In order to use IdP-initiated login, make the following configurations on the Application General tab.

7. In the Initiate Login URI box, enter: https://auth.eagleeyenetworks.com/sso?issuer={registrationId}&target_link_uri={webapp_url}

The registrationId is the last part of the redirectUri retrieved from Get {baseURL}/api/v3.0/accounts/self/ssoAuthSettings?include=ssoOidcIdpConfigUrls

For example, if you get

As a response, your registrationId is 00000011. The redirectionId is actually your Eagle Eye account ID. 

Your login URI will be:  https://auth.eagleeyenetworks.com/sso?issuer=00000011&target_link_uri=webapp_eagleeyenetworks.com

Configuring SP initiated SSO settings for Okta 

The Okta settings are shown below:

Update the Client ID and Client Secret with the values from the Okta application created in the prerequisites section. For the Issuer URL, you can use the actual Okta domain https://<your-okta-domain> , (Do not include “/” at the end.) 

SP initiated SSO flow

Log in to the application, 

1. Provide a non-administrator user account at the identifier first page. 

2. Login with Okta and provide consent. 

IdP initiated SSO flow

1. Go to https://<your-okta-domain>/app/UserHome.

2. Log in with a user who exists in your Eagle Eye Networks account with the same email.

3. Click on the Application you created to be redirected to the application.

Configuring automated user provisioning for Okta

1. Check the Add New Users if they Do Not Already Exist box in the Identity Provider Integration via Single Sign-on screen in the Cloud VMS interface.

2. Log into the application. Go to https://<your-okta-domain>/app/UserHome.

3. Log in with a user who does not exist in your een account with the same email.

4. Click the Application you created and you will be redirected to the application and auto-provisioned.

If Microsoft is the IdP, use the instructions in this section to enable Azure Active Directory (AD).

Prerequisites

1. If you do not have an account in Azure AD, register for a free account at https://azure.micrsoft.com.

2. Obtain the redirectUri for the account by adding your account ID at the end of this redirectUri: https://auth.eagleeyenetworks.com/login/oauth2/code/<account ID>.

Configuring a new application in Azure AD

1. Log in to the Azure console (https://portal.azure.com/#home) and navigate to Manage Microsoft Entra ID (previously known as Azure ID).

2. Go to App Registrations in the left panel and create a new registration.

3. Provide the following information under the Register an Application wizard:

• Name the application.

• Set the Supported Account Type to Accounts in this Organizational Directory Only.

• Use the redirectURI as obtained in Configuring Microsoft Azure OIDC.

4. On the Application Overview screen, create a client credential using the Add a Certificate or Secret option. 

5. Click New Client Secret.

6. Enter a description of the secret and an expiration date.

7. Copy the Value field to a text file and save it.

IMPORTANT: This is the Client Secret and cannot be viewed again.

You can find the Application (Client) ID on this screen as well.

8. Navigate to the API Permissions on the left panel and select Add a Permission.

9.  Select the Microsoft Graph API.

10. Add Email and OpenId permissions.

11. Navigate to Token Configuration from the left panel and click Add Optional Claim.

12. In the Add Optional Claim wizard, select Adding verified_primary_email is optional.

13. You can also update the consent page using the Branding & Properties tab in the left panel.

14. Assign users to the application. Navigate to Home > Manage Microsoft Entra ID > Enterprise Applications and select your application. Go to Assign Users and Groups and assign users as shown below to the application. 

Configuring SP initiated SSO settings for Azure Active Directory

Use the instructions in this section to configure the organizational Microsoft SSO.

1. Update the Client ID (Application (client) ID) and Client Secret with values you got from the Azure AD application created in Prerequisites. 

2. You can find the <tenant-id> on the Overview page.

SP initiated SSO flow

You should now be able to log in to the application.

1. Provide a non-administrator user account at the identifier home page.

2. Log in with Azure AD and provide the consent.

Note: Be sure you have the same user created on the Azure AD side.

Prerequisites for the IdP initiated SSO flow

1. Update the homepage URL in the Branding & Properties section of the application as follows:

https://auth.<domain-branding>/sso?issuer=<registration-id>&target_link_uri=<webapp-url>. 

• domain-branding can be eagleeyenetworks.com, mobotixcloud.com, etc.

• The registration-id is your account id. This Can be found at the end of redirectUri found in Prerequisites.

• The <webapp-url> can be https://webapp.eagleeyenetworks.com.  (Based on the domain branding you can use different values for this and make sure values are URL encoded).

• An example is: https://auth.eagleeyenetworks.com/sso?issuer=00032511&target_link_uri=https://webapp.eagleeyenetworks.com

2. Navigate to the Enterprise Application tab and select your application. In the left panel select Manage > Properties. Set Visible to Users to Yes.

Setting up IdP initiated SSO Flow

1. Go to  https://myapplications.microsoft.com?tenantId=<tenant-id>.

2. Log in with a user who exists in your Eagle Eye Networks account with the same email.

3. Click the Application you created and you will be redirected to the application.

Configuring auto user provisioning for Azure AD

1. Check the Add New Users if They do not Already Exist box in the Identity Provider Integration via Single Sign-on screen in the Cloud VMS interface and click Save.

IdP initiated SSO with auto user provisioning flow

1. Log in to the application. Go to https://myapplications.microsoft.com?tenantId=<tenant-id>.

2. Log in with a user who exists in your Eagle Eye Networks account.

3. Click the Application you created to be redirected to the application.