Integrating Okta SSO with Ekran System


To set up Okta SSO (Single Sign-On) authentication so as to integrate it for use with Ekran System, OpenSSL first needs to be installed.

To install OpenSSL, do the following:

1. Open the Windows command prompt or Linux terminal.

2. Generate a self-signed x509 certificate (to be imported into Okta) and a pkcs12 certificate (to be imported into Ekran System).

user:/mnt/c/dev/okta_sso$ openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout cert.pem -out cert.pem
Generating a RSA private key
writing new private key to 'cert.pem'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
user:/mnt/c/dev/okta_sso$ openssl pkcs12 -export -out cert.pfx -in cert.pem -name EkranSSO
Enter Export Password:
Verifying - Enter Export Password:
user:/mnt/c/dev/okta_sso$ ls
cert.pem  cert.pfx  pubkey.pem

Okta Configuration

1. Open the Applications > Application section, and click Create App Integration.


2. In the pop-up window that opens, select the SAML 2.0 option, and then click Next.


3. On the General Settings page, fill out the App name field with a name for the application, and then click Next.


4. On the Configure SAML page, fill out the Single sign on URL and Audience URI (SP Entity ID) fields (i.e. replace the example "https://terminal/EkranSystem" part of the URL shown in the screenshot below, with the URL of your Management Tool in both fields).


5. Then click on Show Advanced Settings and configure the following (as shown in the screenshots below).

a) Upload your x509 certificate in the Signature Certificate field.


b) Replace the example "https://terminal/EkranSystem" part of the URL (shown in the screenshot below) with the URL of your Management Tool in the Single Logout URL field.


c) Click Next to apply the changes.

6. On the Feedback page, select the “I’m a software vendor. I'd like…” option as displayed in the screenshot below, and then click Finish to apply the changes.


7. After finalizing configuration of the SAML integration, scroll down to the SAML Signing Certificates section (on the Applications > Application > <your application> > Sign On page), and then click the Action button next to SHA-2, and select View IdP metadata in the drop-down list.


8. Save the information that is then displayed in the new browser tab that opens (e.g. either by pressing Ctrl+S, or by opening your browser options, and selecting the More Tools > Save page as… option (in the Chrome browser) to download the metadata.xml file.


NOTE: You can close the browser tab after downloading the metadata.xml file.

9. On the previous page, scroll up and open the Assignments page (by clicking Applications > Application > <your application> > Assignments).


10. Then select the Assign > Assign to People option, and assign a user to this application, and then click Done to apply the changes.


Management Tool Configuration

1. Log in to the Ekran System Management Tool, and click the Configuration () button (at the top of the Management Tool interface), and then select the SSO Integration tab..


2. Configure the following options:

• Issuer name: Enter your Management Tool URL.

• Identity provider metadata (xml): Click Choose File, and select the metadata.xml file.

Select the Custom certificate option, click Choose File, and upload your cert.pfx certificate, and then enter the Certificate password.


3. Click Save to apply the changes.

4. Restart the EkranServer service in Services.