The company maintains its own employee identity in Okta and hopes to be able to correspond to the sub-user under the enterprise account (account ID: 210 *******） logged in to the Volcano Engine. In this example, there is a user user1@email.com in Okta, and it is hoped that the user SSO single sign-on configuration user1@email.com jump directly from Okta to the Volcano Engine login page single sign-on to the sub-user under the Volcano Engine account user1@email.com.

Step 1: Obtain SAML Service Provider (SP) metadata in the Volcano Engine console #

1. Log in to your Volcano Engine account's Access Control (IAM) console .

2. In Identity Management- Identity Provider click on Create Identity Provider.

3. Select the Identity Provider Type as SAML and the SSO Type as User SSO in the newly opened drawer. At the metadata URL of the user's SSO service provider, click on the URL, and the information in the newly opened page of this URL will be used in subsequent steps.

Step 2: Create an IAM user in Volcano Engine #

In Access Control, Identity Management - Users, click New User, the user name is user1@email.com.

Step 3: Create a new Okta app #

As an Identity Provider (IdP), Okta needs to sense the service provider Volcano Engine as an "application" to enable single sign-on. To do this, you need to create an application corresponding to the Volcano Engine at Okta.

1. Log in to the Okta portal and click Admin in the upper right corner.

2. After logging in to Okta as an administrator, click Applications - Applications in the left navigation bar, click Create APP Integration, enter the Create a new app integration pop-up window, select SAML2.0, and click Next.

3. In the Create SAML Integration- General Settings interface, enter the application name App name (for display only at the IDP, you can fill in "VolcineDemo" in this example) and click Next.

4. In the Create SAML Integration - Configure SAML step, complete the SAML configuration in step 4.

Step 4: Complete the SAML configuration of the Okta application #

Next, you need to configure SAML-based single sign-on for your IdP.

1. In the Create SAML Integration - Configure SAML step of the just created application VolcineDemo, configure the General bar based on the SP metadata obtained in the first step:

   1. At the Single sign on URL, fill in the Location value of the AssertionConsumerServiceelement, which is the https://signin.volcengine.com/saml/sso.
   2. Also check "Use This for Recipient URL and Destination URL".
   3. Audience URI ( SP Entity ID), fill in the EntityDescriptor element 'EntityID' value, the value will change based on the account ID, in this example: https://signin.volcengine.com/210 *******/ saml_user/sso.
   4. NameID format Select Unspecified.
   5. Application Username Select the Okta user field that you want to map to the username of the Volcano Engine IAM sub-user. This is the Okta username in this example.

2. Click Next , fill in the Feedback step as needed, and click **Finish **to save the configuration.

3. In the current application, click Sign On tab, find SAML SigningCertificates, hover over Actions in the Certificate status as Active, click View IdP metadata, and right-click on the new page to store the identity provider's metadata (IdP Metadata).

Step 5: Create a user in Okta and assign it to the app #

This step defines the Okta users or user groups in Okta that have access to the VolcineDemo app.

1. Click Directory - People, click Add person in the upper left corner, and configure the user user1@email.com basic information.

2. Click View User Details, under the Applicationstab, click Assign Applications, select VolcineDemo, click Assign, and click Done.

Step 6: Create a user SSO identity provider in Volcano Engine #

1. Return to the Access Control (IAM) console of your Volcano Engine account.

2. In the Identity Management- Identity Provider - New Identity Providerdrawer in Step 1, select " Open User SSO" and fill in the Identity Provider name as needed, such as Okta_User. Finally, upload the IdP Metadata metadata file obtained in step 4 and click Submit.

After completing the SSO login configuration, you can verify that you initiated single sign-on from Okta.

After logging into the Okta portal as user1@email.com, click VolcineDemo in the My Application to test user1@email.com SSO login. If you successfully jump to the Volcano Engine SSO login page and can log in to the account 210***** as a Volcano Engine user1@email.com user， the configuration is successful.

Or you can verify that you initiated single sign-on from Volcano Engine.

Select "Enterprise Federal Login" login method in the login page of Volcano Engine, enter the account ID 210******* and select the corresponding identity provider Okta_user, jump to Okta and log in to Okta's user1@email.com identity. After successful login, if you can jump to the Volcano Engine SSO login page and log in to the user1@email.com identity of the corresponding Volcano Engine account, the single sign-on configuration is successful.