SSO - okta - SAML

pfonte · February 26, 2025, 4:21pm

Hello there,

i Hope you are doing well.

Our customer is configuring in okta all the information. We need now to configure it in our metabase.
However our customer gave to me an xml that i need to fill..so he can conclude his configuration and after i can as well configure in admin panel in Metabase.

But i don't understand what i need to put in the xml?
The xml looks like:

<?xml version="1.0" encoding="UTF-8"?> ... ....

Do you know what i need to do?
In the documentation i don't see anything to fill an xml.

Best Regards and Thanks

bayo99 · February 27, 2025, 8:01am

Hi @pfonte

Welcome to Metabase!

Can you paste the structure of the entire XML excluding any personal or security info?

That will help the community in providing you the appropriate help.

Kind regard.

pfonte · February 27, 2025, 2:04pm

<?xml version="1.0" encoding="UTF-8"?>

pfonte · February 27, 2025, 2:06pm

<?xml version="1.0" encoding="UTF-8"?>
<EntityDescriptor entityID="prd-ney-tdc-access" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
    <md:SPSSODescriptor WantAssertionsSigned="true"
        protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
        <md:KeyDescriptor use="signing">
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                    <ds:X509Certificate></ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </md:KeyDescriptor>
        <md:KeyDescriptor use="encryption">
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                    <ds:X509Certificate><ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </md:KeyDescriptor>
        <md:AssertionConsumerService
            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
            Location="URL" index="1"/>
    </md:SPSSODescriptor>
</EntityDescriptor>

bayo99 · March 10, 2025, 7:33pm

Hi @pfonte
Apologies for the delay in responding. I missed the notifications as I was indisposed.

Based on the XML you sent, you need to add the Okta signing and encryption certificates to the configuration.

The signing and encryption certificates can be found on your Okta dashboard.

The modified XML will look like: (removed some code for brevity

First: Add you encryption key to the part <md:KeyDescriptor use="encryption">

<md:KeyDescriptor use="encryption">
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                    <ds:X509Certificate>MkqhkiG9ANBw0BAQEFAAOCAQ8AMIIBCgKCAQEA.........</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </md:KeyDescriptor>

And then your signing key here:

 <md:KeyDescriptor use="signing">
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                    <ds:X509Certificate>ANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA.........</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </md:KeyDescriptor>

Also, you will need the Assetion Consumer Service. Refer to Understanding SAML | Okta Developer for details.
It will be added to th part:

<md:AssertionConsumerService
            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
            Location="https://your-assertion-url" index="1"/>

I hope this helps.