import { Callout } from 'nextra/components'
Configure SAML SSO login
Hatica supports login via SAML providers. In general, the steps are:
-
Create a SAML application in your provider admin console and provision users
-
Add the relevant details in Hatica and enable login via SAML
Once you enable login via SAML, it will be the only way to login and previously used login via Email and OTP will be disabled. If a user is authorized Hatica will grant them login. In most cases you can configure who is permitted to login by the SSO provider.
Azure
Create your Azure application: From your Azure Admin console, click Enterprise applications from the left navigation menu.
If your application is already created, choose it from the list and move to the section Configure Application
If you haven't created a SAML application, click New application from the top to create a new application.
From the next screen, click Create your own application. Give your application a Name and click Create.
Configure Application
Select Single Sign On from the Manage section of your app and then SAML.
Click Edit on the Basic SAML Configuration section.
Enter the following highlighted values in the Basic SAML Configuration section on the next screen:
Identifier (Entity ID) - hatica
Reply URL (Assertion Consumer Service URL) - https://gw.hatica.io/api/oauth/saml (opens in a new tab)
Click Save to save your changes.
Attribute Mapping
Click Edit on the Attributes & Claims section.
You have to configure the following attributes under the Attributes & Claims section:
See the screenshot #2: Go to the section SAML Signing Certificate section and download the Federation Metadata XML.
See the screenshot #3: Go to the section SAML Signing Certificate section and download the Federation Metadata XML.
**Next steps: **You've successfully configured your custom SAML application for Azure AD SAML. At this stage, you can assign users to your application and start using it.
Azure AD FS
From your Azure Admin console, click Enterprise applications from the left navigation menu.
If your application is already created, choose it from the list and move to the Configure Application section
From the next screen, click Create your own application. Give your application a Name and click Create.
Configure application
Select Single Sign On from the Manage section of your app and then SAML.
Click Edit on the Basic SAML Configuration section.
Enter the following highlighted values in the Basic SAML Configuration section on the next screen:
Identifier (Entity ID) - hatica
Reply URL (Assertion Consumer Service URL) - https://gw.hatica.io/api/oauth/saml (opens in a new tab)
Click Save to save your changes.
Attribute Mapping
Click Edit on the Attributes & Claims section.
You have to configure the following attributes under the Attributes & Claims section:
See the screenshot #2: Go to the section SAML Signing Certificate section and download the Federation Metadata XML.
Next steps: You've successfully configured your custom SAML application for Azure AD SAML. At this stage, you can assign users to your application and start using it.
Google SSO
From your Google Admin console, click Apps from the sidebar then click Web and mobile apps from the list.
If your application is already created, choose it from the list and move to the section Configure Application
If you haven't created a SAML application, click Add custom SAML app from the menu.
Give your application an App name and click Continue.
Configure Application
From the next screen, click DOWNLOAD METADATA to download the metadata XML file, then click Continue.
Enter the following values in the Service provider details section:
-
ACS URL - https://gw.hatica.io/api/oauth/saml (opens in a new tab)
-
Entity ID -
hatica
Click Continue to save the configuration.
Attribute Mapping
Under the Attributes section, you have to configure the following attributes:
App attributes | Google directory attributes |
---|---|
Primary email | |
firstName | First name |
lastName | Last name |
See the screenshot #1: After you have configured the attributes, click Finish to save the configuration.
From the next screen, click User access to configure the application to allow users to log in.
Check the ON for everyone checkbox and click Save.
Next steps: You've successfully configured your custom SAML application for Google SAML. At this stage, you can assign users to your application and start using it.
Okta SSO
From your Okta dashboard, select Applications from the main menu, then click the Create App Integration button.
Select SAML 2.0 as the sign-in method and then click Next.
Then name the application and optionally upload the logo.
Click the Next button to proceed to the SAML Settings page.
Configure Application
Populate the form with the values obtained from Hatica SAML Single Sign-On setup page (opens in a new tab). They will look similar to the following:
Enter the following values in the Service provider details section:
-
Single sign-on URL - https://gw.hatica.io/api/oauth/saml (opens in a new tab)
-
Audience -
hatica
Click Continue to save the configuration.
Attribute Mapping
Under the Attributes section, you have to configure the following attributes:
App attributes | Okta attribute |
---|---|
id | user.id |
user.email | |
firstName | user.firstName |
lastName | user.lastName |
See the screenshot #1: After you have configured the attributes, click Finish to save the configuration.
From the next screen, click User access to configure the application to allow users to log in.
On the next screen select I'm an Okta customer adding an internal app and click Finish.
From your application, click Sign On tab and go to the section SAML Signing Certificates
Click the Actions dropdown for the correct certificate and click View IdP metadata. A separate window will open with the metadata XML file, you can copy it to your clipboard.
Update Hatica SAML SSO Configuration
Go to Hatica SAML Single Sign-On setup page (opens in a new tab). Paste in the IDP XML metadata (downloaded in previous step), check the Enabled field, then click the Save button.
Next steps: You've successfully configured your custom SAML application for Okta SAML.
Test sign-in flow using incognito window
Be sure to stay signed in to the Hatica dashboard until you've verified the Okta sign-in flow from an incognito window.
Staying signed in to the dashboard will allow you to update the SAML settings or disable SAML SSO in the event of misconfiguration.