Integrating Trusona and Okta Cloud IAM

This guide details the steps required to configure Trusona as a passwordless authentication solution for your Okta cloud instance.

By Daniel Fischpan
Updated Jul 9, 2019

What’s in this doc

• Getting Started
  • Step 1: Email Trusona
    • Setting up a vanity url
  • Step 2: Log into the Okta admin portal
  • Step 3: Create API token
  • Step 4: Add Origin
  • Step 5: Create a group
  • Step 6: Create an Identity Provider
    • General Settings
    • Authentication Settings
    • JIT Settings
    • SAML Protocol Settings
  • Step 7: Create new Sign-On policy
    • Navigate to “Security” > “Authentication” > “Sign on”
  • Step 8: Send Trusona your configuration details
  • Step 9: Create Routing Rule
  • Step 10: Create a Trusona application
    • General Settings
    • Configure SAML
    • Feedback
  • Step 11: Create an Assignment
  • Step 12: Customizing your Trusona experience
  • Provide images
  • Provide hex values

Getting Started

Step 1: Email Trusona

Send an email to integration@trusona.com with the following information:

Subject: Okta Integration

1. Company name
2. Email domain(s) associated with your Okta users
3. Optional - Vanity url (url seen while on the Trusona gateway

Example:

Gateway url: https://okta98098.gateway.trusona.net/sessions/new
or
Vanity url: https://login.yourcompany.com/sessions/new

Setting up a vanity url

Add a new CNAME DNS record for your domain.

1. Set the “host” value to the URL you’d like users to see when logging in
2. Set the “Answer” value to ssl.trusona.net
3. Set the TTL to 300

Here’s an example of a CNAME answer when retrieved by dig tada.trusona.com.

tada.trusona.com. 3600 IN CNAME ssl.trusona.net.

Trusona will send you the following via email:

1. IdP Signature Certificate
2. Origin URL
3. IdP Single Sign-On URL

Step 2: Log into the Okta admin portal

If you are logged into the developer portal by default than select the dropdown that reads Developer Console and click Classic UI.

If you see this page and admin button, then click Admin button.

Step 3: Create API token

Navigate to “Security” > “API” and then click the Create Token button.

Copy your API token (“Token Value” in the above image) and save it somewhere safe. You will send this to Trusona along with other information in step 8.

Step 4: Add Origin

Navigate to “Security” > “API” > “Trusted Origins” and click the Add Origin button.

1. Name your Origin Trusona
2. Trusona will provide you with the Origin url
3. Check both CORS and Redirect checkboxes

Step 5: Create a group

Navigate to “Directory” > “Groups” > click Add Group and create a name and a description

1. Name the group Trusona
2. Provide a group description
3. Click Add Group

This group is used to prevent users, who are using Trusona for passwordless login, from being prompted for an additional second factor of authentication.

You don’t need to maintain the membership of this group. Group membership is automatically managed by Trusona via the Okta API. Do not add any members to the group.

Step 6: Create an Identity Provider

Navigate to “Security” > “Identity Providers” > Click Add Identity Provider > Click SAML 2.0 IdP

Note: If the “Add Identity Provider” button does not have a drop down then click “Add Identity Provider” and continue with the steps below.

Complete the form to add the new SAML IdP using the information below:

General Settings

Field	Value	Instructions
Name	Trusona

Authentication Settings

Field	Value	Instructions
IdP Username	idpuser.subjectNameId
Filter	^.*@yourEmailDomainHere.com$
Match against	Okta Username
If no match found	Create new user (JIT)

JIT Settings

Field	Value	Instructions
Profile Master	Unchecked
Group Assignment	Assign to specific groups
Specific Groups	Your Group Name	Enter the group name created in step 5.
If no match found	Create new user (JIT)

SAML Protocol Settings

The email you receive back from Trusona will contain the IdP Single Sign-On URL and the IdP Signature Certificate

Field	Value	Instructions
IdP Issuer URL	https://gateway.trusona.net/saml/metadata
IdP Single Sign-On URL	Issued by Trusona
IdP Signature Certificate	Issued by Trusona

Once the information in the tables above has been entered into the form, click the Add identity provider button to continue.

Step 7: Create new Sign-On policy

Navigate to “Security” > “Authentication” > “Sign on”

To create the new policy, click the Add New Okta Sign-On Policy button.

1. Enter “TrusonaUsers” for the Policy Name
2. Choose a meaningful description for the Policy Description
3. Add the group you created in step 5 in the “Assign to Groups” section
4. Click Create Policy and Add Rule
5. Rule Name: Name rule (This rule allows users to authenticate from anywhere)
6. Note: Make sure “Prompt for Factor” is unchecked
7. After creating a rule make sure the new rule is activated

Step 8: Send Trusona your configuration details

Using https://onetimesecret.com send the following information to integration@trusona.com:

1. API Token Key
2. Group URL [Located in Directory > Groups > Trusona]
3. SAML metadata [Located in Security > Identity Providers by expanding the SAML IdP row]

Once this information is received, Trusona will provision your Okta integration and notify you by email when the Trusona integration is ready for use.

Step 9: Create Routing Rule

Note: Do not move onto step 9 until you have received confirmation from Trusona that your information from step 8 has been provisioned. Otherwise you may be locked out of your account.

Navigate to “Security” > “Identity Providers” > “Routing Rules”

To create the new Routing Rule, click the Adding Routing Rule button.

Match the fields below and click Create Rule

Field	Value
Rule Name	Trusona
User’s IP is	Anywhere
User’s device platform	Any device
User is accessing	Any application
User matches	Anything
Use this identity provider	Trusona

Step 10: Create a Trusona application

General Settings

1. Applications > Applications > Add Application
2. Click Create new app
3. Platform: Web Sign on Method: SAML 2.0 and click create
4. Click Next

Field	Value
App name	Trusona
App logo	Trusona logo
App visibility	Unchecked

Configure SAML

1. Copy the Identity Single Sign-On url located under SAML Protocol Settings within the identity provider page and paste it in the Single Sign-On url field
2. Change the end of the URL from saml to registrations then click Next
3. Check on “Use this for Recipient URL and Destination URL”
4. Audience URI (SP Entity ID): Enter https://gateway.trusona.net/saml/metadata
5. Click Next

Feedback

1. Click the radio button “I’m an Okta customer adding an internal app”
2. Click Finish

Step 11: Create an Assignment

Within the new Trusona application > Assignment > Assign

1. Assign to Groups
2. Select Everyone
3. Click Assign
4. Click Done

Step 12: Customizing your Trusona experience

The Trusona Gateway (pictured below) includes default styling that will be familiar to your users using the Trusona App.

Optionally, it’s possible to provide a custom branded experience for your users including things like:

• A custom vanity URL
• Custom secure QR code colors
• Your company logo and colors

In order for Trusona to create your custom gateway you need to provide to Trusona hex values and images for the following:

Provide images

• Hero image: 1440 x 1800 px
• Logo image: 500 x 500 px

Provide hex values

• Animated dot color: this is the color dots that animate
• List of QR colors: multiples of the same color will appear more (provide 2 hex values)
• Link color: also changes the Okta widget button colors
• Text color:
• Background color: affects background behind the QR, usually we just do pure white (#FFFFFF)

---