Introduction
This document describes how to configure OKTA SSO External Authentication for login to Cisco Secure Email Encryption Service (Registered Envelope).
Prerequisites
Administrator access to Cisco Secure Email Encryption Service (Registered Envelope).
Administrator access to OKTA.
Self-Signed or CA Signed (optional) X.509 SSL certificates in PKCS #12 or PEM format (provided by OKTA).
Background Information
- Cisco Secure Email Encryption Service (Registered Envelope) enables SSO login for end users who use SAML.
- OKTA is an identity manager that provides authentication and authorization services to your applications.
- Cisco Secure Email Encryption Service (Registered Envelope) can be set as an application which is connected to OKTA for authentication and authorization.
- SAML is an XML-based open standard data format that enables administrators to access a defined set of applications seamlessly after the sign into one of those applications.
- To learn more about SAML, refer to: SAML General Information
Requirements
- Cisco Secure Email Encryption Service (Registered Envelope) administrator account.
- OKTA administrator account.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. if the network is live, ensure that you understand the potential impact of any command.
Configure
Under Okta.
1. Navigate to Applications portal and select Create App Integration
, as shown in the image:
![Applications Portal - Create App Integration selection](/c/dam/en/us/support/docs/security/registered-envelope-service/218342-configure-okta-sso-external-authenticati-00.png)
2. Select SAML 2.0
as the application type, as shown in the image:
![Select SAML 2.0 application type](/c/dam/en/us/support/docs/security/registered-envelope-service/218342-configure-okta-sso-external-authenticati-01.png)
3. Enter the App name CRES
and select Next
, as shown in the image:
![Assign app name of CRES](/c/dam/en/us/support/docs/security/registered-envelope-service/218342-configure-okta-sso-external-authenticati-02.png)
4. Under the SAML settings
, fill in the gaps, as shown in the image:
- Single sign on URL: This is the Assertion Consumer Service obtained from the Cisco Secure Email Encryption Service.
- Audience URI (SP Entity ID): This is the Entity ID obtained from the Cisco Secure Email Encryption Service.
- Name ID format: keep it as Unspecified.
- Application username: Email, that prompts user to enter their Email address in the authentication process.
- Update application username on: Create and Update.
![Fill in SAML Settings](/c/dam/en/us/support/docs/security/registered-envelope-service/218342-configure-okta-sso-external-authenticati-03.png)
Scroll down to Group Attibute Statements (optional)
, as shown in the image:
Enter the next attribute statement:
- Name: group
- Name format: Unspecified
- Filter: Equals
and OKTA
![Enter Group attributes](/c/dam/en/us/support/docs/security/registered-envelope-service/218342-configure-okta-sso-external-authenticati-04.png)
Select Next
.
5. When asked to Help Okta to understand how you configured this application
, please enter the applicable reason to the current environment, as shown in the image:
![Reason for app configuration](/c/dam/en/us/support/docs/security/registered-envelope-service/218342-configure-okta-sso-external-authenticati-05.png)
Select Finish
to proceed to the next step.
6. Select Assignments
tab and then select Assign > Assign to Groups
, as shown in the image:
![Assignments - Assign to Groups](/c/dam/en/us/support/docs/security/registered-envelope-service/218342-configure-okta-sso-external-authenticati-06.png)
7. Select the OKTA group, which is the group with the authorized users to access the environment.
8. Select Sign On
, as shown in the image:
![Select Sign On](/c/dam/en/us/support/docs/security/registered-envelope-service/218342-configure-okta-sso-external-authenticati-07.png)
9. Scroll down and to the right corner, select the View SAML setup instructions
option, as shown in the image:
![View SAML setup instructions](/c/dam/en/us/support/docs/security/registered-envelope-service/218342-configure-okta-sso-external-authenticati-08.png)
10. Save to a notepad the next information, that is necessary to put into the Cisco Secure Email Encryption Service
portal, as shown in the image:
- Identity Provider Single Sign-On URL
- Identity Provider Issuer
- X.509 Certificate
![Cisco Secure Email Encryption Service portal details](/c/dam/en/us/support/docs/security/registered-envelope-service/218342-configure-okta-sso-external-authenticati-09.png)
11. Once you complete the OKTA configuration, you can go back to the Cisco Secure Email Encryption Service.
Under Cisco Secure Email Encryption Service (Registered Envelope) :
1. Log in to your organization portal as an administrator, the link is: CRES Administration Portal, as shown in the image:
![Administration Console Log In dialog box](/c/dam/en/us/support/docs/security/registered-envelope-service/218342-configure-okta-sso-external-authenticati-10.png)
2. On the Accounts
tab, select the Manage Accounts
tab, as shown in the image:
![Select Manage Accounts tab](/c/dam/en/us/support/docs/security/registered-envelope-service/218342-configure-okta-sso-external-authenticati-11.png)
3. Click an Account Number and select the Details
tab, as shown in the image:
![Select Details tab](/c/dam/en/us/support/docs/security/registered-envelope-service/218342-configure-okta-sso-external-authenticati-12.png)
4. Scroll down to Authentication Method
and select SAML 2.0
, as shown in the image:
![Select SAML 2.0 as Authentication Method](/c/dam/en/us/support/docs/security/registered-envelope-service/218342-configure-okta-sso-external-authenticati-13.png)
5. For the SSO Alternate Email Attribute
, leave it blank, as shown in the image:
![Leave SSO Alternate Email Attribute blank](/c/dam/en/us/support/docs/security/registered-envelope-service/218342-configure-okta-sso-external-authenticati-14.png)
6. For the SSO Service Provider Entity ID*
, enter https://res.cisco.com/
, as shown in the image:
![Enter SSO Service Provider Entity ID](/c/dam/en/us/support/docs/security/registered-envelope-service/218342-configure-okta-sso-external-authenticati-15.png)
7. For the SSO Customer Service URL*
, enter the Identity Provider Single Sign-On URL
provided by Okta, as shown in the image:
![Enter the Identity Provider Single Sign-On URL](/c/dam/en/us/support/docs/security/registered-envelope-service/218342-configure-okta-sso-external-authenticati-16.png)
8. For the SSO Logout URL
, leave it blank, as shown in the image:
![Leave SSO Logout URL blank](/c/dam/en/us/support/docs/security/registered-envelope-service/218342-configure-okta-sso-external-authenticati-17.png)
9. For the SSO Identity Provider Verification Certificate
, upload the X.509 Certificate provided by OKTA.
10. Select Save
to save settings, as shown in the image:
![Select Save](/c/dam/en/us/support/docs/security/registered-envelope-service/218342-configure-okta-sso-external-authenticati-18.png)
11. Select Activate SAML
to start the SAML authentication process and enforce SSO authentication, as shown in the image:
![Select Activate SAML](/c/dam/en/us/support/docs/security/registered-envelope-service/218342-configure-okta-sso-external-authenticati-19.png)
12. A new window opens to inform SAML authentication becomes active after successful authentication with the SAML Identity Provider. Select Continue
, as shown in the image:
![SAML Identity Provider Authentication message](/c/dam/en/us/support/docs/security/registered-envelope-service/218342-configure-okta-sso-external-authenticati-20.png)
13. A new window opens to authenticate with OKTA Credentials. Enter the Username
and select Next
, as shown in the image:
![OKTA credentials Sign In](/c/dam/en/us/support/docs/security/registered-envelope-service/218342-configure-okta-sso-external-authenticati-21.png)
14. If the Authentication process is successful, the SAML Authentication Successful
is displayed. Select Continue
to close this window, as shown in the image:
![SAML Authentication Successful message](/c/dam/en/us/support/docs/security/registered-envelope-service/218342-configure-okta-sso-external-authenticati-22.png)
15. Confirm the SSO Enable Date
is set to the date and time the SAML Authentication was successful, as shown in the image:
![Confirm SSO Enable Date is the same as SAML Authentication date](/c/dam/en/us/support/docs/security/registered-envelope-service/218342-configure-okta-sso-external-authenticati-23.png)
The SAML configuration is completed. As of this moment, users who belong to the CRES organization are redirected to use their OKTA credentials when they enter their email address.
Verify
1. Navigate to Secure Email Encryption Service Portal. Enter the email address registered to CRES, as shown in the image:
![Secure Email verification](/c/dam/en/us/support/docs/security/registered-envelope-service/218342-configure-okta-sso-external-authenticati-24.png)
2. A new window opens to proceed with the OKTA authentication Sign in with the OKTA credentials, as shown in the image:
![OKTA Authentication Login](/c/dam/en/us/support/docs/security/registered-envelope-service/218342-configure-okta-sso-external-authenticati-25.png)
3. If the Authentication is successful, the Secure Email Encryption Service opens the Compose Message
window, as shown in the image:
![Compose Message dialog box](/c/dam/en/us/support/docs/security/registered-envelope-service/218342-configure-okta-sso-external-authenticati-26.png)
Now the end user can access the Secure Email Encryption Service portal to compose secure emails or open new envelopes with OKTA credentials.
Related Information
Cisco Secure Email Encryption Service 6.2 Account Administrator Guide
Cisco Secure Gateway End User Guides
OKTA Support