MicroStrategy ONE

Integrating SAML Support with Okta

This procedure provides instructions about integrating MicroStrategy Web with Okta. For more information, see the Okta documentation.

Create an Application

  1. Log in as an Okta administrator and go to the Admin page.
  2. Go to Applications and click Add Application.
  3. Select SAML 2.0.
  4. Click Create.

Configure the Application

  1. Enter your app name.
  2. Click Next.

  3. Complete SAML Settings.

    • Single Sign on URL: Also referred to as "Assertion Consumer Service URL", it is the MicroStrategy application address that sends and receives SAML messages. If SAML setup is already finished on MicroStrategy side, it is the URL within the md:AssertionConsumerService tag at the bottom of the SPMetadata.xml file.

      The URL usually takes the below form:

      Copy 
      http(s)://<host server>/<MSTR application name>/saml/SSO
    • Audience URI (SP Entity ID): It corresponds to the entityID value at the top of the SPMetatada.xml file, which is also the first input field on the MicroStrategy SAML configuration page. It is a unique identifier of the MicroStrategy application.

    • ATTRIBUTE STATEMENTS (OPTIONAL): This is to configure what SAML attributes will be sent to MicroStrategy. If the default attribute names were used at MicroStrategy SAML configuration, the names are: EMail, DistinguishedName, and DisplayName. The MicroStrategy-side attribute names can be found in the MstrSamlConfig.xml file. For example:

      Copy 
      <dnAttributeName>DistinguishedName</dnAttributeName>
      <displayNameAttributeName>DisplayName</displayNameAttributeName>
      <emailAttributeName>EMail</emailAttributeName>

      It is not required to configure all three attributes.

    • GROUP ATTRIBUTE STATEMENTS (OPTIONAL): This is used to grant access to the MicroStrategy Web or Mobile Administrator page and manage user privilege inheritance. If the default attribute name was used at MicroStrategy SAML configuration, the name is "Groups". The MicroStrategy-side attribute name can be found in the MstrSamlConfig.xml file. For example:

      Copy 
      <groupAttributeName>Groups</groupAttributeName>

      Use the filter to select the groups that are sent over. To send over all the groups, select Regex and enter .* into the field.

      You can leave the other fields as default or configure them as needed.

Finish SAML Setup

  1. On the Okta admin page, go to Applications and open the application.
  2. Go to Assignments.
  3. Click Assign to assign the application to users or groups.
  4. Go to Sign On.

  5. Click Identity Provider metadata.

  6. Save the XML file as IDPMetadata.xml, and place it in the MicroStrategy\WEB-INF\classes\resources\SAML folder.