General requirements and limitations

PKCS #12 file with X.509 certificate and private key (mostly .pfx file, can be password protected) for signing on GitProtect side, must be included in IdP configuration in GitProtect. X.509 certificate file (mostly a .crt file) for signature verification on the IdP side, must be included in the application configuration defined in the Okta panel.

Both files contain the same certificate, and the PKCS #12 file additionally contains the private key to this certificate.

If the PKCS #12 file is password-protected, add this password to the IdP configuration in the GitProtect panel.

Configuration

In the Admin dashboard (which is available in the right-top corner of the window) move to the Applications tab and select the Applications page.

Now hit the Create App Integration button and select SAML 2.0.

In the General Settings tab specify the application name and move to the Configure SAML tab.

At the Configure SAML tab configure the Single sign-on URL parameter as below:

• https://GitProtectManagementServiceURL/Auth/AssertionConsumerService

where:

1. GitProtectManagementServiceURL - URL address to your GitProtect Management Service.

At the Audience URI type your application name (configured in the General Settings tab).

Now, hit the Show advanced settings button and attach the certificate file to verify your signature by selecting it in the Signature Certificate tab. After that, you will be able to check the Allow application to initiate Single Logout checkbox in the Enable Single Logout field - this is necessary.

When the Allow application to initiate Single Logout checkbox will be checked, the application with open the two additional fields - fill them as below:

• Single Logout URL: https://GitProtectManagementServiceURL/auth/SAMLLogoutResponse

• SP Issuer: MyOktaApp

where:

• GitProtectManagementServiceURL - URL address to your GitProtect Management Service

• MyOktaApp - Application name (configured in the General Settings tab).

Now, move to the Group Attribute Statements field and fill it as below:

• Name: xoperogroup

• Starts with: XONE

Now you can hit the Next button. In the next opened window, select I'm an Okta customer adding an internal app and hit the Finish button.

Open the created application and move to the Sign On page.

At the SAML Signing Certificates field, select the certificate and hit the Actions button -> View IdP metadata. Copy the link of the opened page - it will be required in the GitProtect app.

Now, move to the Assignment tab.

Assign the application to the selected user or group. To do it, hit the Assign button and decide, that you want to assign any selected user or whole group. Next, hit the Assign button on the right side of the opened window.

GitProtect side

Log into the GitProtect Web panel, go to the Settings tab and open the External Identity Providers section. Click Add new provider button and fill in the details.

At first, Name, which is your own custom name - i.e. Okta, then Entity ID, so in this example, it is MyOktaApp (Application name that we’ve set on the Okta side).

Next, paste the link of IdP metadata into the Metadata URL field.

Add the required certificate and add a password to the Safe Password Manager.

More about adding a new password to the Safe Password Manager you can read in the following article:

Set up a default Language and Role for the users with proper permissions and it's done! You can now log out of your account and test the configuration with your configured integration.

More about the Roles in GitProtect you can see in the following article: