Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here

Skyhigh Security

Integrate Okta in a Salesforce SAML Proxy

To integrate Oka with Salesforce SAML proxy, use the following steps to configure Okta, configure the Skyhigh CASB SAML proxy, and finally configure Salesforce. 

Prerequisites

The following items must be in place before you begin:

  • An existing Skyhigh CASB tenant.
  • An existing SFDC sandbox.
  • An existing Okta account.
  • Operational Salesforce reverse proxy.
  • SFDC and Okta accounts set up with the same user name.

Step 1: Configure Okta

  1. Log in as admin and then navigate to the Okta Admin dashboard.
    okta_1.png
  2. Navigate to Applications
    okta_2.png
  3. Click Add Application
    okta_3.png
  4. Search for Salesforce.com and click Add.
    okta_4.png
  5. Complete the application settings. Defaults unless highlighted below…
    okta_5a.png 
    okta_5b.png 
    okta_5c.png 

    NOTE: The screen above assigns users to the application. You can do it later, but it’s easier to do this now.

  6. From the Salesforce Application in Okta, select Sign On.
    okta_6.png
  7. Edit the sign-on settings and find the View Setup Instructions button.
    okta_7.png

  8. Capture the following information and continue to configure SFDC.

    Item

    Example

    Issuer

    exk40ysck2TaAl0gN0h7

    Identity provider login URL

    https://dev-752117.oktapreview.com/app/salesforce/exk40ysck2TaAl0gN0h7/sso/saml

    Identity Provider Logout URL

    https://dev-752117.oktapreview.com

    IDP certificate

    Download this ready to be imported to the SHN SAML proxy

    NOTE: Leave the Okta SFDC SSO configuration screen open. You will come back to it later.

Step 2: Configure Skyhigh CASB SAML Proxy

  1. Log in to Skyhigh CASB and go to Settings > Service Management.
  2. Configure SAML Certificates for the Salesforce reverse proxy.
    clipboard_ede44194256bb43e1e48372b6ffa2e564.png
  3. Upload the IDP certificate obtained earlier from Okta.
    clipboard_e82661dbf98e6be61655a46116782e563.png

  4. Then, Export Proxy Server Certificate (to be imported to Salesforce later).
    clipboard_eefea9ed76998b065ceef1892229dd7d4.png

NOTE: Leave this window open so you can import the SFDC certificate later.

Step 3: Configure Salesforce

  1. Log in as admin to your SDFC environment. You must log in to SFDC directly, not through the proxy, to perform these steps.
  2. Choose Setup > Security Controls > Certificate and Key Management.
    okta_salesforce_2.png
  3. Click Create Self-Signed Certificate.
    okta_salesforce_3.png

  4. Enter a label for the self-signed cert and leave key size at 2048 and click Save.
    okta_salesforce_4.png

  5. Click the link for the new cert. 
    okta_salesforce_5.png

    Then download the certificate. This is the service provider certificate that is uploaded to the SHN proxy.
    okta_salesforce_5b.png

  6. Return to the Skyhigh CASB SAML Proxy and upload the SFDC certificate. Click OK.
    okta_salesforce_6.png
  7. In Salesforce, go to Setup > Security Controls > Single Sign-On Settings.
    okta_salesforce_7.png
  8. Click Edit and then enable SAML. Then click New to create a SSO setting.
    okta_salesforce_8.png

  9. Enter the following items captured during the Okta setup. 

    Item

    Example

    Issuer

    exk40ysck2TaAl0gN0h7

    Identity provider login URL

    https://dev-752117.oktapreview.com/app/salesforce/exk40ysck2TaAl0gN0h7/sso/saml

    Identity Provider Logout URL

    https://dev-752117.oktapreview.com

  10. Enter the other parameters as shown in this screenshot and Save.
    okta_salesforce_10.png
    • Request signing certificate. The self-signed SFDC cert you created
    • IDP certificate = the SHN proxy certificate NOT the Okta certificate
    • Entity ID is usually https://saml.salesforce.com

NOTE: If your organization is using a custom domain, the Entity ID must be the custom domain, for example, https://rks-corp17-dev-ed.my.salesforce.com
 

  1. From the single sign-on page, click the link to the new SAML settings you created.
    okta_salesforce_11.png
  2. From the Endpoints section, capture the Salesforce Login URL.
    okta_salesforce_12.png
  3. Copy and edit the URL. Replace the host with your SFDC reverse proxy host, and append &shnsaml to the end of the URL:
New: https://logincrm.rkscorp27.shnpoc.net?so=00D37000000KQJ1&shnsaml Original: https://login.salesforce.com?so=00D37000000KQJ1

14. Navigate back to Okta where we left the Salesforce SSO settings open and in the Login URL field, enter modified login URL you created in the last step. Leave application username format as Okta username and click Save.
okta_salesforce_14.png