How to integrate Okta single sign-on with SnapStream

Question:

How do I integrate Okta single sign-on with SnapStream using SAML 2.0?

Answer:

These instructions detail how to integrate Okta single sign-on with SnapStream.

Prerequisites: an Okta developer account already set up. https://developer.okta.com/signup/

1. From the Okta user home page click the Admin button.
2. This takes you to the Admin Dashboard. By default, this is set to Developer Console mode.  You need to set it to Classic UI in order to create a SAML application.
3. Click the Applications tab at the top. Then click the Add Application button.
4. Then select Create New App.
5. In the Create a New Application Integration dialog, select Web and SAML 2.0, then click Create.
   
6. On the General Settings page give your application a name in the App Name field. For example, "SnapStream Integration", then click Next.
7. Log in to your SnapStream web UI as an administrator and go to Admin -> Config -> Security.
8. In the External Authentication drop-down, select SAML 2.0. Several setting fields will appear. Scroll to the bottom of the page and find the one labeled SAML ACS URL.
   
9. Copy this value to the clipboard. It is of the form http://<server_name>/Login/SamlConsume.
   
10. Return to the Okta application and go to the SAML Settings page.
    
11. Paste the SAML ACS URL you copied above into the Single sign on URL text box.
    
12. In the Audience URI (SP Entity ID) field, enter a dummy URL, for example, "http://example.com/saml/sso/example-okta-com"
13. Leave Name ID format as "Unspecified" and Application username as "Okta username".
    
14. Click Show Advanced Settings.
15. In the SAML Issuer ID setting, set it to http://www.okta.com/${org.externalKey}. Leave the remaining default settings.
16. Under ATTRIBUTE STATEMENTS, add the following, using the exact case:
    • Name: User.Email
    • Name format: Unspecified
    • Value: user.email
17. Under GROUP STATEMENTS, add the following, using the exact case:
    • Name: Group.Name
    • Name format: Unspecified
    • Filter: Regex with value .*
      
18. Click Next. Select "I'm a software vendor, I'd like to integrate my app with Okta". Click Finish.
19. Go to the Sign On -> Settings page and click View Setup Instructions.
20. You should see the Okta fields for Identity Provider Single Sign-On URL, Identity Provider Issuer, and X.509 Certificate.
21. Return to the SnapStream server Security settings page. Provide the following:
    1. SAML Endpoint, provide the above Identity Provider Single Sign-On URL
    2. SAML Issuer, provide the above Identity Provider Issuer
    3. SAML Certificate, provide above the X.509 Certificate
       
22. Click Save.

Applies to Version:

SnapStream EDU, Enterprise, and Cloud editions 9.0 and above. SAML integration is not available on Pro or Express systems.

Additional Notes:

In order to integrate Okta groups with SnapStream groups to use for permission settings in SnapStream, you'll need to use Admin -> Config -> Groups to link Okta groups to a SnapStream group. You can view/edit the groups in Okta under Directory -> Groups