1) Log into your WI Cloud Management console instance thanks to "internal/local" credentials at “https://myInstanceName-mgmt.prod.fire.glass/console”

2) Go to “Management -> Identity Providers” and create a new SAML IdP. “IdP Type” choose “Generic SAML”, mark “Configuration Mode”-> “Fill in IdP details later”, “Host Name” leave already filled “myInstanceName-mgmt.prod.fire.glass” and “Port” 443. Click on “Show Metadata” saving the info to a text file for future references. Click on “Create” button. In the pop up window “Does Identity Provider Support Importing A Metadata File?” select “No” and save “symantec_threat_isolation_certificate.pem” locally.

3) Log in “https://developer.okta.com/login/”. Skip the initial wizard.

4) Go to “Applications -> Applications” and click “Create App Integration”.

5) Select “SAML 2.0’.

6) Give the new app a name, example “WI_Admin_Console” and choose the app logo.

7) In the “Configure SAML” panel set (copied text file info):

• Single sign-on URL:                           “https://myInstanceName.prod.fire.glass:443/console/samlauthentication/samlcallback”
• Audience URI (SP Entity ID):            “https://myInstanceName.prod.fire.glass:443/console/samlauthentication/samlcallback”    
• Default RelayState:                            “https://myInstanceName.prod.fire.glass:443/console/samlauthentication/samlcallback”
• Name ID format:                                 “EmailAddress”
• Application username:                      “Email”
• Update application username on:    “Create and update”

Click on “Show Advanced Settings” and set:

• Response:                                                          Signed
• Assertion Signature:                                         Signed
• Signature Algorithm:                                         RSA-SHA256
• Digest Algorithm:                                              SHA256
• Digest Algorithm:                                               Encrypted
• Encryption Algorithm:                                        AES256-CBC
• Key Transport Algorithm:                                  RSA-OAEP
• Encryption Certificate:                                      Upload “symantec_threat_isolation_certificate.pem” downloaded from the WI Management
• Signature Certificate:                                       Upload “symantec_threat_isolation_certificate.pem” downloaded from the WI Management
• Allow application to initiate Single Logout:    https://instName-mgmt.prod.fire.glass:443/console/samlauthentication/samllogoutcallback
• SP Issuer:                                                          fgokta

Leave the rest as per default …

8) Click on “Next”, select “I'm an Okta customer adding an internal app”, “This is an internal app that we have created” and click on “Finish”.

9) In the new application click on the “Sign On” tab, scroll down to “SAML Signing Certificates”, for the one in status “Active” certificate click on “Actions”, “Download Certificate” and save the “okta.cert” to the local machine.

10) In the same new application SAML 2.0 tab scroll up and copy the Metadata URL clicking on the “Copy” related button.

11) Go back to the WI admin console “Management -> Identity Providers -> Newly created SAML -> Edit”, in the “IdP Details” panel click on “Import from URL” and paste the above copied OKTA SAML “Metadata URL”.  Scroll down and in the same “IdP Details” panel click on “Signing Certificate“ “Browse” button and upload the previously downloaded “okta.cert” file.

12) In the same “User Management -> SAML Trusts -> Edit” “Claims” panel make sure fields are set as:

• Username Attribute:                nameID
• Username Identifier Format:  urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
• Groups Attribute:                    groups

Click on “UPDATE” and “Push Settings”.

13) In WI management go to “Management > Management Roles > Edit Administrator” or any other role that need to be authenticated thanks to SAML.

14) In the "Update management Role" window - Choose the newly created SAML IdP from the "Provider" drop-down menu. Set “Attribute Type” to “Username”. In the “Username” field set the new admin email address, example “[email protected]”. Click on “Add” and “Update” buttons:

15) Go to WI “Policies”, “My Policy”; add a new rule at the top to “PASS” any user (including unauthenticated users) toward “*.okta.com” and “*.oktacdn.com”.

16) In the OKTA admin console go to “Directory -> People” and add a new person making sure the email address is a valid one and that “Send user activation email now” is selected. The new user will receive the “activation email” and will have to confirm it clicking on the email link. The new account password can be either set by the admin or by the user.

17) Go to the previously created “application”, example “WI_Admin_Console” and in the “Assignments” tab “Assign” the new person to the application. Make sure “User Name” is the user email address. Groups can also be created as per requirements.

18) Test login “https://myInstanceName-mgmt.prod.fire.glass/console” clicking on “ADVANCED” and select newly created identity provider, example:

19) Click on the right arrow, the browser is redirected to OKTA login, after proper credentials are inserted the user is successfully, redirected and logged into the WI management console.