Okta SSO Login failure

pbenware1
Release Candidate Programs Tester

Greetings all,

We are in the very earliest stages of setting up Okta.  I'm currently working on configuring our JSS Dev environment to use Okta for SSO.

I'm working directly with our internal Identity Management team who manages our Okta instance.  They setup the integration on the Okta side, but I have no idea how they went about it.

In the JSS dev, I've enabled SSO using Okta, added the necessary metadata URL provided by the IAM team, etc.

When attempting a login, I am presented with the expected Okta user name screen, followed by the password screen, suggesting that the login process is working (and I've received notifications of a successful login), but then directed to an error message:

Safari can't find the server.

Safari can't open the page "https://https//<mysandbox>.jamfcloud.com/saml/SSO" because the Safari can't find the server "https".

Note the extra "https// in the Url.

The Okta team says everything is OK on their end, and I've reviewed the JSS SSO settings with them, and they see no issues on the JSS side.

A similar, but not identical, error message appears in Chrome.

Has anyone seen this before?  Any thoughts?

1 ACCEPTED SOLUTION

pbenware1
Release Candidate Programs Tester

Problem solved.  Turns out the Okta team misread or mistyped the URL.  They fixed that and now SSO sign in is working.

View solution in original post

6 REPLIES 6

wsmits
New Contributor III

Maybe try a SAML tracer like "rcFederation Tracer" to validate what is happening. I had issues too which turned out to be that the response was trying to send all the group memberships but there was a max number. For me I had to get my Identity team to specify what groups to look for.

In this test example they added the group called LDAP.

Unknown.png

pbenware1
Release Candidate Programs Tester

@wsmits Thank for the suggestion.  I ran rcFederationtracer and found 2 resulting outputs.

I know nothing of how federation is supposed to work, so I'm making assumptions here based on the resulting files;

It appears the first output is the request from my JSS sandbox to the Okta instance.

the second file appears to be the response from Okta, after a successful authentication, telling the browser where it should redirect to, and I'm seeing the bad URL there.

Given my lack of knowledge here, I'm going to open a ticket with Jamf support as well, but I think this gives me some additional info that I can provide to our Okta team as well.

AJPinto
Honored Contributor III

Assuming this is the MenuBar App. It sounds like you may not have the OktaAuthServer key set correctly. 

  • Can you share your sanitized Configuration Profile?
  • Are your Okta admins seeing the authenticate attempt for your tests?
  • OktaAuthServer should be your Okta auth server, and you dont want to add https:\\ in the URL as that is added automatically. 

 

pbenware1
Release Candidate Programs Tester

@AJPinto Are you referring to Jamf Connect?  That's the next step for us.  Currently working on using Okta for SSO, which is now working.

AJPinto
Honored Contributor III

Crap, yes. I was on the Connect wagon. 

So long as the Entity ID, and Identity Provider Metadata Source are correct in your Jamf Console, the issue is going to be within Okta. My guess is they setup the Single sign on URL incorrectly in the General SAML Settings for the Jamf Pro app integration. Basically, you are getting to your Okta auth realm because Jamf Pro is setup correctly, but when Okta is redirecting you back to Jamf, it's sending you to the wrong URL.

 

Have them check the Single sign on URL, and make sure it is just instancename.jamfcloud.com/saml/SSO without https://.

pbenware1
Release Candidate Programs Tester

Problem solved.  Turns out the Okta team misread or mistyped the URL.  They fixed that and now SSO sign in is working.