Sitecore Content Hub - Solve common Okta SSO configuration issues with practical tips and advice

 

Recently, I was configuring Sitecore Content Hub 4.x for Single Sign-on (SSO) authentication with Okta identity provider through SAML. I ran into few issues that I would like to highlight in this blog post and also provide the missing information that you'd need to successfully make the two applications work together.

Sitecore Content Hub configuration

Sitecore's general documentation on external providers can be found here https://docs.stylelabs.com/contenthub/4.0.x/content/user-documentation/manage/user-security/user-authentication/external-authentication-providers.html.

The base provider configuration found on the link above is a pretty good starting point for any external provider configuration (be it Okta or Azure AD or any other). The documentation is pretty detailed so I will not repeat the information in here.

For SAML, you'd typically need an sp_entity_id. This entity id can be any value that you set on Content Hub side but I usually go with the URL of the Content Hub instance (like https://xxxx.sitecorecontenthub.cloud/) to keep it consistent with the environment. This will also be the Redirect URI which you'd need to configure SAML authentication on Okta.

Here is the configured SAML authentication JSON in Content Hub

Issue #1: Don't miss leading / in the module_path URL

Please note the RED highlighted settings in the screenshot above. The module_path has to be /AuthServices-{provider_name} and your provider name has to be some unique value. Though the documentation provides the full URL, it is quite easy to miss the leading / in the module_path URL.

I'll be using the OOTB username and email claim types in this example but it is possible to use your client's custom Okta claims as well. In fact, most organizations use the custom ones for their configuration.

Okta configuration

Issue #2: Figuring out the correct Single Sign-on URL to be configured in Okta

Single sign-on URL in Okta must be https://xxxx.sitecorecontenthub.cloud/{module_path settings in Content Hub}/Acs (in my case it was https://xxxx.sitecorecontenthub.cloud/AuthServices-okta/Acs). 

Please note the /Acs at the end of the URL. I spent quite a lot of time trying to figure out the correct SSO URL on Okta side. After different trial and errors and through another Okta authentication with a local sandbox instance, I found this out through developer tools.

Issue #3: Configuring the right email and username attributes

Since I used the OOTB Content Hub global claim types with Okta SSO, we needed to configure the values (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name) as custom attribute names in Okta.

Hope you find this blog post useful. Let me know in the comments if you did.