Resolution
In Okta: Sign in to your Okta tenant as an administrator.
In the Admin Console, navigate to Applications > Applications. Click Create App Integration. In the Create a new app integration dialog, choose SAML 2.0 and click Next.
- Single Sign On URL: https://remote.workspace.env/api/saml/
- Recipient URL: https://remote.workspace.env/api/saml/
- Destination URL: https://remote.workspace.env/api/saml/
- Audience Restriction: https://remote.workspace.env/api/saml/
- Default Relay State: not specified
- Name ID Format: Unspecified
- Response: Signed
- Assertion Signature: Signed
- Signature Algorithm: RSA_SHA256
- Digest Algorithm: SHA256
- Assertion Encryption: Unencrypted
- SAML Single Logout: Depends on the preferences of your organization.
- authnContextClassRef: PasswordProtectedTransport
- Honor Force Authentication: Yes
- Assertion Inline Hook: None (disabled)
- SAML Issuer ID: http://www.okta/${org.externalKey}
Finally, configure these Attribute statements:
| Name | Name Format | Value |
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/NameID | Unspecified | user.email |
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname | Unspecified | join(" ", user.firstName, user.LastName) |
If needed, adjust the values based on Okta's Expression Language (see their documentation).
In Parallels Secure Workspace: Go to System Settings > Configure > User Connector: Federated Authentication, fill in these settings:
- Type: Pre-Authentication or Single Sign-On
- Protocol: SAML
- ACS URL: This will be auto-generated based on the workspace URL specified below. E.g. https://remote.workspace.env/api/saml/
- Entity Id: ID of your choice (e.g. Workspace). This must match the "Audience Restriction" from above. So based on the example settings above: https://remote.workspace.env/api/saml/
- Metadata Type: XML
- Metadata XML: Browse and upload the federation metadata XML obtained from Okta.
- Single Logout: Depends on the preferences of your organization.
- Workspace Single Logout URL: This will be auto-generated based on the workspace URL specified below. E.g. https://remote.workspace.env/api/slo/
- Username Claim: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/NameID
- Display Name Claim: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
- Workspace URL: The URL of this Workspace domain. E.g. https://remote.workspace.env
Was this article helpful?
Tell us how we can improve it.