This article illustrates how to configure StoreFront to use OKTA for authentication using SAML metadata exchange.

Instructions

Identify the StoreFront Service Provider endpoints

See StoreFront documentation section StoreFront SAML Endpoints for an example script to get the service provider endpoints.

Okta Configuration

• On the Okta create a new application for the Web Platform with SAML 2.0 enabled.

• Once the new application is created follow the below steps to configure the SAML settings

 

 
Note:
 

1. The Single Sign On URL in the above step should be the Assertion Consumer Service URL from the StoreFront Output.
2. The Audience URI should be the Service Provider ID from the Storefront Output.
3. Rest of the setting can be default.

• In the next step you can Preview the SAML assertion click on the link shown up in the below image.

• On the next step click on finish to the Service Provider configuration on the Okta.

• In the next step, click on the Sign On tab and edit the application user format to reflect AD User Principle Name
• Also click on the Identity Provider Metadata to download the metadata file which we will use in the Storefront Configuration steps below.

• In the next step assign the users to application on the Okta who will go through Okta to Storefront.

 

 
Storefront Configuration

On the Storefront, enable the SAML Authentication under the Manage Authentication Methods in the Storefront Console. 

Import the metadata file. For information see StoreFront documentation section Configure using Metadata exchange. Set the FilePath to the file you downloaded from Okta.

User experience

When the user goes to the store website, they are redirected to Okta to authenticate. 

References for Configuring FAS:

 https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-12/secure/federated-authentication-service.html