Configure Single Sign-On with Okta

This article details the process to accomplish the following tasks:

• Configure your Okta installation to support Single Sign-On (SSO) for your Axon Evidence organization.

• Configure your Axon organization to use Okta for SSO.

After completing the steps in this article, you can also configure certificate-based authentication (CBA) for SSO on Mobile devices for your organization. Axon supports CBA for use with mobile devices and the most recent versions of Axon mobile apps. Learn more about pre-requisites and information on integration with a Mobile Device Manager.

Prerequisites

• An Okta installation with admin access.

• Admin access to Axon Evidence.

Tips for a successful SSO integration

• When you configure your Axon Evidence SSO settings in Step 6, keep the Admin Bypass setting enabled during testing to prevent lockouts.

• Regularly update and review the SSO configuration to accommodate any changes in your Okta setup.

• Ensure that all URLS within the steps are entered correctly and that you replace all instances of organization with the subdomain of your Axon organization.

• Ensure that either (a) the email address for each user in your Axon organization is identical to the user's email address or User Principal Name (UPN) in Okta, or (b) the externalID for each user in your Axon organization matches the attribute mapped to the externalID in Okta.

  • Note: If there is a mismatch between externalID and email address for mapping accounts, externalID will take precedence.

• It's recommended that all Axon users have a correctly configured account in the Okta installation that you will use for SSO with Axon.

Configure SSO with Okta Single Sign-On

This section outlines the steps for adding a new SAML-based application to Okta.

Step 1- Create an Okta application

1. Sign in to your Okta admin dashboard.

2. Select Applications, and then select Add Application.

3. Select Web as the platform and SAML 2.0 as the sign-on method.

4. Select Create to set up a new application for Axon.

Step 2 - Configure Okta

1. In the Okta application setup, fill in the SAML Settings with Axon specifics:

   1. Single Sign-On URL

      Value: https://[organization].evidence.com/?class=UIX&proc=Login
      Replace organization with the subdomain of your Axon organization.
      Description: This is your organization's Axon tenant URL. This is the URL that the federation service will redirect to once sign in is complete.

   2. Recipient URL/Destination URL
      Value: Select to use Single Sign-On URL for these.

   3. Audience URI
      Value: https://[organization].evidence.com
      Description: Axon uses this to ensure that this SAML token is for this organization. Since many SAML providers use the same public/private key for all of their customer's applications, the combination of Key + Audience URI ensures that this SAML token is for the correct application/audience - in this case Axon.

   4. Name ID Format
      Value: Persistent
      Description: If the SAML provider asks which nameid format it should use, configure it as "unspecified." Axon will request the correct one when signing in.

   5. Response
      Value: Signed

   6. Assertion
      Value: Signed

   7. Request Compression
      Value: Compressed
      Description: By default, Okta does not follow the standard SAML protocol of compressing all HTTP-REDIRECT based requests. This must be set to compressed for login to work correctly with Axon's sign in system.

2. Select Show Advanced Settings to reveal more options:

   1. Honor Forced Authentication
      Value: Yes
      Description: By default, Okta does not allow forced reauthentication. This setting is required for some Axon products.

3. Add the following Attribute Statement:
   Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
   

   Value: ${user.email}
   Description: Ensure that the email address is sent for each user. If it's not sent, the user-based registration will not work correctly.

Step 3 - Obtain certificate

1. Open a web browser and navigate to the URL of your Okta installation.

2. Select the lock icon next to the URL, and then select Connection.

3. Select Certificate, select the Details tab, and then select Export.

4. Choose the format and then select Save. The browser will open or download a file. The exact behavior will depend on the browser you use and its download settings for files.

5. Save the file in a location where you can access it later.

Step 4 - Assign users to the Axon tenant in Okta

In Okta where you've set up the Axon tenant, you need to assign all user accounts that require access to your Axon organization to the Axon tenant.

Depending on your organization's Okta subscription, different methods may be available for user assignment. It's advisable to create a directory group comprising members who need access to your Axon organization and assign this group to the Axon app.

If group assignment isn't supported , individual users can be added manually to Axon apps, as described in Step 6 - Verify the SSO configuration.

Step 5 - Configure Axon for SSO

Important

Before you enable SSO for your organization, it's highly recommended that you test the setup. This can be done using a test tenant (if available) or during off-hours to minimize disruption. For testing instructions, see Step 6- Verify the SSO Configuration. Verification is crucial to confirm all assigned users will have uninterrupted access through SSO.

1. Before getting started, verify that you have the following required information:

   1. An HTTP-REDIRECT based Single Sign-On URL

   2. A Single Logout URL

   3. A Base64 Encoded Security Certificate

2. Sign in to your Axon Evidence account, select Admin, and then under Security Settings, select Single Sign-On.
   

3. Select the check box next to Enable SSO.

4. In the Issuer field, enter the unique identifier of the identity provider. This is typically a URL.

5. In the Single Sign-On URLfield, enter the URL of your Okta installation. This can be found on the Okta settings page.

6. Select Add Certificate to open a Security Certificate field on the settings page.

7. Use a text editor to open the file you downloaded in Step 3.

8. Configure these optional settings:

   1. Do not send signup email: Select this if you don't want your users to receive an email from Axon Evidence when they are added to the system.

   2. Admin Bypass: This setting will allow admins who have Configure Agency Security Settings permissions to bypass SSO and update the SSO configuration if it fails or their certificate expires. It is recommended that this is enabled in case there's a problem with your SSO sign in, at least until you have finished verifying the SSO configuration.

9. Select Save to enable SSO for your organization.

Step 6 - Verify the SSO configuration

Follow these steps to verify and test that Axon sign in with Okta is correctly configured:

1. Sign out of Axon and close your browser window or tab.

2. In a new window or tab, go to your organization's Axon home page. The protocol must be https:
   https://organization.evidence.com

3. The Axon sign-in system redirects the browser to an Okta web site. Sign in using your credentials of the Okta account that you assigned to the Axon app.

4. Once testing is complete, you may want to go back to your Axon SSO settings and disable the Admin Bypass setting.

Once you've successfully confirmed SSO functionality, learn more about the process for new user registration, existing user first sign-in with SSO, and daily sign-in.

Additional Resources

For further guidance and detailed information on configuring SSO with Axon Evidence, refer to the following resources:

For further guidance and detailed information on configuring SSO with Axon, refer to the following resources:

• Single Sign-On overview: Explore the strategic considerations for choosing an identity provider and understand directory synchronization compatibility.

• User Registration and Sign-In with SSO
• Certificate-based authentication for Single Sign-On on mobile devices