From b028849af5de346de2883438e9869b781323648e Mon Sep 17 00:00:00 2001 From: annejuan-okta Date: Thu, 30 Jan 2025 07:36:07 -0800 Subject: [PATCH] 2025.01.2 Release (#5301) * [OKTA-844514] 2025.01.2 Release Notes (#5300) * First pass at RN * Fix formatting and add IGA RN item * Update packages/@okta/vuepress-site/docs/release-notes/2025-okta-identity-engine/index.md Co-authored-by: Brian Duffield - Okta <70648001+brianduffield-okta@users.noreply.github.com> * Update packages/@okta/vuepress-site/docs/release-notes/2025-okta-identity-engine/index.md Co-authored-by: Brian Duffield - Okta <70648001+brianduffield-okta@users.noreply.github.com> * Update packages/@okta/vuepress-site/docs/release-notes/2025/index.md * Update packages/@okta/vuepress-site/docs/release-notes/2025/index.md --------- Co-authored-by: Brian Duffield - Okta <70648001+brianduffield-okta@users.noreply.github.com> * Claims sharing (#5295) * update * updates * update * request response * example updates and more * update doc to make stack selector guide * Venkat updates and oidc examples * new files for new URL for claims sharing and complete first draft of content * save * policies * first shot at PR * framework * review comments * lars and ansu reviews * review comments * faqs moved * more review updates * acrolinx love * Lars updates * finalreviews * editorial review * Link fix and missing feature in classic --------- Co-authored-by: Brian Duffield - Okta <70648001+brianduffield-okta@users.noreply.github.com> Co-authored-by: Susan --- .../main/oktatookta/appatidp.md | 4 - .../configure-amr-claims-mapping/index.md | 4 +- .../guides/configure-claims-sharing/index.md | 7 + .../configure-claims-sharing/main/index.md | 158 ++++++++++++++++++ .../main/oktaoidc/addanidp.md | 1 + .../main/oktaoidc/idpauthclaimssharing.md | 1 + .../main/oktaoidc/idpresponse.md | 17 ++ .../main/oktaoidc/idpresponsetitle.md | 1 + .../main/oktaoidc/idptype.md | 1 + .../main/oktaoidc/idpupdaterequest.md | 73 ++++++++ .../main/oktaoidc/idpupdateresponse.md | 74 ++++++++ .../main/oktaoidc/redirect.md | 1 + .../main/oktasaml/addanidp.md | 1 + .../main/oktasaml/idpauthclaimssharing.md | 1 + .../main/oktasaml/idpresponse.md | 20 +++ .../main/oktasaml/idpresponsetitle.md | 1 + .../main/oktasaml/idptype.md | 1 + .../main/oktasaml/idpupdaterequest.md | 83 +++++++++ .../main/oktasaml/idpupdateresponse.md | 86 ++++++++++ .../main/oktasaml/redirect.md | 1 + .../@okta/vuepress-site/docs/guides/index.md | 2 +- .../2025-okta-identity-engine/index.md | 20 +++ .../docs/release-notes/2025/index.md | 19 +++ .../const/navbar.const.js | 1 + .../global-components/AMROktatoOkta.vue | 17 -- .../vuepress-theme-prose/util/frameworks.js | 4 + 26 files changed, 575 insertions(+), 24 deletions(-) create mode 100644 packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/index.md create mode 100644 packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/index.md create mode 100644 packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktaoidc/addanidp.md create mode 100644 packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktaoidc/idpauthclaimssharing.md create mode 100644 packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktaoidc/idpresponse.md create mode 100644 packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktaoidc/idpresponsetitle.md create mode 100644 packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktaoidc/idptype.md create mode 100644 packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktaoidc/idpupdaterequest.md create mode 100644 packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktaoidc/idpupdateresponse.md create mode 100644 packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktaoidc/redirect.md create mode 100644 packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktasaml/addanidp.md create mode 100644 packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktasaml/idpauthclaimssharing.md create mode 100644 packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktasaml/idpresponse.md create mode 100644 packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktasaml/idpresponsetitle.md create mode 100644 packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktasaml/idptype.md create mode 100644 packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktasaml/idpupdaterequest.md create mode 100644 packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktasaml/idpupdateresponse.md create mode 100644 packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktasaml/redirect.md delete mode 100644 packages/@okta/vuepress-theme-prose/global-components/AMROktatoOkta.vue diff --git a/packages/@okta/vuepress-site/docs/guides/add-an-external-idp/main/oktatookta/appatidp.md b/packages/@okta/vuepress-site/docs/guides/add-an-external-idp/main/oktatookta/appatidp.md index 2e6a0ffc7dd..6c6984af7e0 100644 --- a/packages/@okta/vuepress-site/docs/guides/add-an-external-idp/main/oktatookta/appatidp.md +++ b/packages/@okta/vuepress-site/docs/guides/add-an-external-idp/main/oktatookta/appatidp.md @@ -15,7 +15,3 @@ When you're configuring federation between two Okta orgs, use OpenID Connect as 1. Assign a group or leave the **Everyone** default. Ensure that the users you want to have access are assigned to the group that you select. For instructions on how to assign the app integration to individual users and groups, see [Assign app integrations](https://help.okta.com/okta_help.htm?id=ext_Apps_Apps_Page-assign). 1. Click **Save**, and then copy the **Client ID** and **Client secret** from the **Client Credentials** section and paste into a text editor. You need these when you configure this IdP in your other Okta org in the next section. - - - -See [Create an Identity Provider in Okta](#create-an-identity-provider-in-okta) for Okta-to-Okta orgs. diff --git a/packages/@okta/vuepress-site/docs/guides/configure-amr-claims-mapping/index.md b/packages/@okta/vuepress-site/docs/guides/configure-amr-claims-mapping/index.md index 40526b291b5..558f2d87d6f 100644 --- a/packages/@okta/vuepress-site/docs/guides/configure-amr-claims-mapping/index.md +++ b/packages/@okta/vuepress-site/docs/guides/configure-amr-claims-mapping/index.md @@ -1,6 +1,6 @@ --- -title: Configure AMR claims mapping -excerpt: Learn how to configure an OpenID Connect Identity Provider to send AMR claims during SSO to your org +title: Configure claims sharing +excerpt: Learn how to configure an identity provider to send claims during SSO layout: Guides sections: - main diff --git a/packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/index.md b/packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/index.md new file mode 100644 index 00000000000..558f2d87d6f --- /dev/null +++ b/packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/index.md @@ -0,0 +1,7 @@ +--- +title: Configure claims sharing +excerpt: Learn how to configure an identity provider to send claims during SSO +layout: Guides +sections: +- main +--- \ No newline at end of file diff --git a/packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/index.md b/packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/index.md new file mode 100644 index 00000000000..79d614ba0a5 --- /dev/null +++ b/packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/index.md @@ -0,0 +1,158 @@ +--- +title: Configure claims sharing +excerpt: Learn how to configure an identity provider to send claims during SSO +layout: Guides +--- + + + +This guide explains how to configure an identity provider (IdP) to send authentication claims during Single Sign-On (SSO). + +--- + +#### Learning outcomes + +* Know the purpose of claims sharing +* Configure your identity provider (IdP) to send authentication claims during SSO + +#### What you need + +* An Okta SP org and an Okta IdP org configured for an [Okta-to-Okta](/docs/guides/add-an-external-idp/oktatookta/main/) use case. This guide covers how to configure authentication claims sharing for this scenario. +* The **Okta-to-Okta Claims Sharing** feature enabled for both orgs. Go to **Settings | Features**, locate the feature, and then enable it. +* If you don't have Okta orgs, you can create [Okta Developer Edition orgs](https://developer.okta.com/signup). + +--- + +## Overview + +Claims sharing is the exchange of identity-related information (claims) between different orgs to enable secure access to resources. A claim is a statement made about a user or entity, such as their username, email address, roles, or permissions. This statement is then shared to help determine access rights. + +> **Note:** Okta claims sharing currently supports only Okta IdPs and SPs. + +### Authentication claims sharing + +Authentication claims sharing allows an admin to configure their Okta org to trust claims from IdPs during SSO. Sharing claims also allows Okta to interpret the authentication context from an IdP. This helps eliminate duplicate factor challenges during user authentication and helps improve security posture. + +Claims sharing provides assurance context to Okta during policy evaluation. For example, these claims give Okta a better understanding of which factors were used by the IdP to verify the user's identity. Claims do this by conveying information from the IdP that's needed to make policy decisions in the SP. This creates a seamless and secure user experience, which reduces friction and boosts productivity to achieve end-to-end security. + +### Accepted authenticators + +All authenticators that are natively performed on the Okta IdP are accepted. This includes authenticators such as WebAuthn, password, Okta Verify, Okta FastPass, SMS, email, and so on. Claim sharing doesn't currently support the use of any Custom Authenticators for MFA, such as using another IdP or smart card. + +### AMR claims mapping is enabled on your org + +When you enable the **Okta-to-Okta Claims Sharing** feature for your orgs and trust claims from an identity provider, Okta ignores the legacy **AMR Claims Mapping** feature. + +### IdP authentication claims sharing + + + +#### Example + + + +## Configure claims sharing for Okta orgs + +The **Okta-to-Okta Claims Sharing** feature enables claims sharing between Okta orgs. This section covers how to configure authentication claims sharing for this use case. + +### Okta IdP configuration + +Okta supports the use of SAML 2.0 and OpenID Connect app integrations, and the Org2Org app in the OIN catalog. This is the app that you use for authenticating and authorizing your users. There are no configuration requirements for claims sharing for the Okta IdP org. + +### Okta SP configuration + +To use claims sharing, update the IdP settings in your Okta SP org by adding the `trustClaims: true` key and value pair to your IdP PUT request. Alternatively, you can enable the **Trust claims from this identity provider** checkbox in the Admin Console. See . + +> **Note:** When **Okta-to-Okta Claims Sharing** and the legacy **AMR Claims Mapping** feature are both used in your SP org, claims sharing is the only feature considered. The `mapAMRClaims` property (**Trust AMR claims from this identity provider** checkbox in the Admin Console) is associated with the legacy claims mapping feature. If you include this property and the `trustClaims: true` property in your request, only the `trustClaims` property is considered. + +#### Example Okta IdP update request + + + +#### Response example + +> **Note:** This example is truncated for brevity. + + + +## Policies and claims sharing + +You can configure many scenarios for authentication using claims sharing and policies in your Okta SP and Okta IdP orgs. + +### Authentication policy example + +[Create an authentication policy and rule for your app](https://help.okta.com/okta_help.htm?type=oie&id=ext-create-auth-policy). Select any two factors, don't select a possession constraint, and allow any authenticators. + +With trust claims enabled and your IdP org able to verify any two factors, you can satisfy the requirements in the SP org. + +#### Other authentication policy scenarios + +* **Possession factor constraints:** If you enable any possession factor constraints in the authentication policy of your SP org, the IdP org must satisfy the requirement with appropriate factor verification. + +* **Authentication methods:** + * **Allow any method that can be used to meet the requirement**: If you enable this setting in your SP org, you can satisfy the policy requirements by using any authenticator that meets those requirements. This includes authenticators that aren't configured locally in the SP org. + * **Disallow specific authentication methods**: If you specify authentication methods to disallow, then the SP org disallows those methods. + * **Allow specific authentication methods**: If you specify authentication methods to allow, then the SP org only considers those methods. + + After you define these conditions, if you still haven't met the policy requirement, then the SP org redirects you to verify any locally configured authenticator. If there's no local authenticator available, or the enrollment policy for a particular authenticator is disabled, then the SP org displays an error. + +### Global session policy example + +This same concept applies to the global session policy. Without trust claims enabled, if you have only the password authenticator configured in the SP org, you can't save a global session policy rule that requires MFA. + +However, with trust claims enabled, you can specify MFA as required. As long as the claim is coming from the IdP, the session is established because that claim can satisfy the global session policy rule. + +### Okta Identity Engine and Classic Engine orgs + +If you a combination of Okta Identity Engine and Classic Engine orgs, the rules work in the following ways: + +#### Example scenario one + +Your SP org is an Identity Engine org. Your IdP is a Classic Engine org. MFA from the Classic Engine org can only satisfy one of the following authentication policy rules on the Identity Engine SP org: + +* **Any 1 factor type/IdP** +* **Any 2 factor types** + +For the global session policy, MFA from the Classic Engine org can only satisfy the **Any factor used to meet the Authentication Policy requirements** rule. + +#### Example scenario two + +Your IdP org is an Identity Engine org. Your SP org is a Classic Engine org. The Classic Engine org only evaluates whether MFA was completed, such as if more than one factor verification was performed on the IdP org. + +## Test your integration + +To test your integration, first [configure a routing rule](https://help.okta.com/okta_help.htm?id=ext-cfg-routing-rules) for the IdP and then use the IdP to sign in. + +### Configure a routing rule for the IdP + +Configure a simple routing rule for the IdP in the Okta SP org. + +* Click **Add Routing Rule**. +* Enter a name and leave the default values. +* In the **THEN Use this identity provider** section, add your IdP in the **IdP(s)** field. +* Click **Create Rule**. + +### Use the IdP to sign in + +1. Access your Okta SP org using your browser's privacy or incognito mode to avoid false positive or negative results. +1. Click **Sign in with {Name of IdP}** on the Okta sign-in page. + + The following are the results if everything is configured properly: + + * The user is redirected to the IdP's sign-in page. + * The authenticators configured in the authentication policy prompt the user for more authentication. + * After successful authentication, the user is redirected to the specified in the Okta IdP org app. + + If something is configured incorrectly, the authorization response contains error information to help you resolve the issue. See the [FAQ](#faq) section. + +## Trust claims deletion/deactivation + +You can only deactivate or delete an IdP with trust claims enabled if there are other active IdPs that have trust claims enabled. Or, you can deactivate or delete the IdP if all policies are configured in a way that doesn't require trusted claims. + +> **Note:** This is also true if you try to disable the **Okta-to-Okta Claims Sharing** feature. + +## Reauthentication + +Okta claims sharing doesn't currently support reauthentication. The user isn’t prompted for reauthentication as long as the session is active. + +Also, when you federate from the IdP org to the SP org’s Okta dashboard and then click **Admin**, you aren't prompted for reauthentication. The factors from the IdP are valid until the end of the session on the SP org. diff --git a/packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktaoidc/addanidp.md b/packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktaoidc/addanidp.md new file mode 100644 index 00000000000..27f58fdbf30 --- /dev/null +++ b/packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktaoidc/addanidp.md @@ -0,0 +1 @@ +[Add an OpenID Connect Identity Provider](/docs/guides/add-an-external-idp/openidconnect/main/) \ No newline at end of file diff --git a/packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktaoidc/idpauthclaimssharing.md b/packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktaoidc/idpauthclaimssharing.md new file mode 100644 index 00000000000..cd01544c559 --- /dev/null +++ b/packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktaoidc/idpauthclaimssharing.md @@ -0,0 +1 @@ +When you use OpenID Connect with claims sharing, the data that's shared between an Okta IdP and an Okta SP is included in the ID token under a new reserved claim name called `okta_auth`. The `okta_auth` payload within the ID token response contains information about authentication performed at the Okta IdP org. diff --git a/packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktaoidc/idpresponse.md b/packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktaoidc/idpresponse.md new file mode 100644 index 00000000000..120d1b8175d --- /dev/null +++ b/packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktaoidc/idpresponse.md @@ -0,0 +1,17 @@ +> **Note:** The `okta_auth` JSON payload in the ID token is redacted. + +```JSON +{ + "aud": "ts1hjc8xh3", + "auth_time": 1720481750, + "email": "jon.smith@example.com", + "exp": 1720482230, + "family_name": "Smith", + "given_name": "Jon", + "iat": 1720481810, + "iss": "https://idp.okta.com", + "nonce": "3byzgGdVLxjNUQ3X73rYgQBUc_DO4AJ2", + "sub": "jon.smith@example.com", + "okta_auth": {...JSON payload...} +} +``` diff --git a/packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktaoidc/idpresponsetitle.md b/packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktaoidc/idpresponsetitle.md new file mode 100644 index 00000000000..87932ba9864 --- /dev/null +++ b/packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktaoidc/idpresponsetitle.md @@ -0,0 +1 @@ +ID token \ No newline at end of file diff --git a/packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktaoidc/idptype.md b/packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktaoidc/idptype.md new file mode 100644 index 00000000000..182eb94aac2 --- /dev/null +++ b/packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktaoidc/idptype.md @@ -0,0 +1 @@ +OpenID Connect \ No newline at end of file diff --git a/packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktaoidc/idpupdaterequest.md b/packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktaoidc/idpupdaterequest.md new file mode 100644 index 00000000000..bb0bafb7992 --- /dev/null +++ b/packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktaoidc/idpupdaterequest.md @@ -0,0 +1,73 @@ +```JSON +{ + "id": "0oa3q52z4b7iDGJfh806", + "issuerMode": "DYNAMIC", + "name": "Org2Org OIDC IdP", + "status": "ACTIVE", + "created": "2025-01-14T21:56:04.000Z", + "lastUpdated": "2025-01-17T20:01:09.000Z", + "protocol": { + "type": "OIDC", + "endpoints": { + "authorization": { + "url": "https://{yourOktaIdPDomain}/oauth2/v1/authorize", + "binding": "HTTP-REDIRECT" + }, + "token": { + "url": "https://{yourOktaIdPDomain}/oauth2/v1/token", + "binding": "HTTP-POST" + }, + "jwks": { + "url": "https://{yourOktaIdPDomain}/oauth2/v1/keys", + "binding": "HTTP-REDIRECT" + } + }, + "scopes": [ + "email", + "openid", + "profile" + ], + "issuer": { + "url": "https://{yourOktaIdPDomain}" + }, + "credentials": { + "client": { + "client_id": "0oa3q52oiB4UBbQFT806", + "client_secret": "X7i4OV8UXUkrqIhr2vFs0RzeYFy3AUmXe_huqfgMw-eiw1KMUUCEs7X7YXrR_9Sq" + } + } + }, + "policy": { + "provisioning": { + "action": "AUTO", + "profileMaster": false, + "groups": { + "action": "NONE" + }, + "conditions": { + "deprovisioned": { + "action": "NONE" + }, + "suspended": { + "action": "NONE" + } + } + }, + "accountLink": { + "filter": null, + "action": "AUTO" + }, + "subject": { + "userNameTemplate": { + "template": "idpuser.email" + }, + "filter": "", + "matchType": "USERNAME", + "matchAttribute": "" + }, + "maxClockSkew": 0, + "trustClaims": true + }, + "type": "OIDC" +} +``` diff --git a/packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktaoidc/idpupdateresponse.md b/packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktaoidc/idpupdateresponse.md new file mode 100644 index 00000000000..2f8e31c6b6b --- /dev/null +++ b/packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktaoidc/idpupdateresponse.md @@ -0,0 +1,74 @@ +```JSON +{ + "id": "0oa3q52z4b7iDGJfh806", + "issuerMode": "DYNAMIC", + "name": "Org2Org OIDC IdP", + "status": "ACTIVE", + "created": null, + "lastUpdated": "2025-01-21T19:52:54.000Z", + "protocol": { + "type": "OIDC", + "endpoints": { + "authorization": { + "url": "https://{yourOktaIdPDomain}/oauth2/v1/authorize", + "binding": "HTTP-REDIRECT" + }, + "token": { + "url": "https://{yourOktaIdPDomain}/oauth2/v1/token", + "binding": "HTTP-POST" + }, + "jwks": { + "url": "https://{yourOktaIdPDomain}/oauth2/v1/keys", + "binding": "HTTP-REDIRECT" + } + }, + "scopes": [ + "email", + "openid", + "profile" + ], + "issuer": { + "url": "https://{yourOktaIdPDomain}" + }, + "credentials": { + "client": { + "client_id": "0oa3q52oiB4UBbQFT806", + "client_secret": "X7i4OV8UXUkrqIhr2vFs0RzeYFy3AUmXe_huqfgMw-eiw1KMUUCEs7X7YXrR_9Sq" + } + } + }, + "policy": { + "provisioning": { + "action": "AUTO", + "profileMaster": false, + "groups": { + "action": "NONE" + }, + "conditions": { + "deprovisioned": { + "action": "NONE" + }, + "suspended": { + "action": "NONE" + } + } + }, + "accountLink": { + "filter": null, + "action": "AUTO" + }, + "subject": { + "userNameTemplate": { + "template": "idpuser.email" + }, + "filter": "", + "matchType": "USERNAME", + "matchAttribute": "" + }, + "maxClockSkew": 0, + "trustClaims": true + }, + "type": "OIDC", + ..... +} +``` diff --git a/packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktaoidc/redirect.md b/packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktaoidc/redirect.md new file mode 100644 index 00000000000..389be354f5a --- /dev/null +++ b/packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktaoidc/redirect.md @@ -0,0 +1 @@ +redirect URI diff --git a/packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktasaml/addanidp.md b/packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktasaml/addanidp.md new file mode 100644 index 00000000000..d9b0646ad4a --- /dev/null +++ b/packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktasaml/addanidp.md @@ -0,0 +1 @@ +[Add a SAML Identity Provider](https://help.okta.com/okta_help.htm?type=oie&id=csh-idp-add-saml) \ No newline at end of file diff --git a/packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktasaml/idpauthclaimssharing.md b/packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktasaml/idpauthclaimssharing.md new file mode 100644 index 00000000000..681104437b8 --- /dev/null +++ b/packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktasaml/idpauthclaimssharing.md @@ -0,0 +1 @@ +When you use SAML 2.0 with claims sharing, the data that's shared between an Okta IdP and an Okta SP is included in the SAML response in a new reserved tag in the `Extension` section called `OktaAuth`. This content is communicated in JSON within the `Assertion` response and contains information about authentication performed at the Okta IdP org. The entire assertion is securely encrypted with a published encryption key from the SP org. diff --git a/packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktasaml/idpresponse.md b/packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktasaml/idpresponse.md new file mode 100644 index 00000000000..270db52c231 --- /dev/null +++ b/packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktasaml/idpresponse.md @@ -0,0 +1,20 @@ +> **Note:** The `OktaAuth` JSON payload is redacted and the response is truncated for brevity. + +```JSON +..... + + + urn:oasis:names:tc:SAML:2.0:ac:classes:X509 + + + + + ...JSON payload... + + + + + + +..... +``` diff --git a/packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktasaml/idpresponsetitle.md b/packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktasaml/idpresponsetitle.md new file mode 100644 index 00000000000..a7d0ea2f9c8 --- /dev/null +++ b/packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktasaml/idpresponsetitle.md @@ -0,0 +1 @@ +SAML 2.0 IdP response \ No newline at end of file diff --git a/packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktasaml/idptype.md b/packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktasaml/idptype.md new file mode 100644 index 00000000000..7945954acb0 --- /dev/null +++ b/packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktasaml/idptype.md @@ -0,0 +1 @@ +SAML 2.0 \ No newline at end of file diff --git a/packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktasaml/idpupdaterequest.md b/packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktasaml/idpupdaterequest.md new file mode 100644 index 00000000000..22f7285fec0 --- /dev/null +++ b/packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktasaml/idpupdaterequest.md @@ -0,0 +1,83 @@ +This request is an example of an Okta SAML 2.0 IdP update to trust claims. In the `policy` section, the `trustClaims: true` key and value pair appears. + +> **Note:** The request example is truncated for brevity. + +```JSON +{ + "type":"SAML2", + "status":"ACTIVE", + "features":[], + "id":"0oa78rktqwQbG2m9O0g4", + "orgUrl":"http://{yourOktaDomain}", + "name":"Org2Org", + "created":null, + "lastUpdated":"2025-01-15T19:45:03.000Z", + "protocol":{ + "endpoints":{ + "authorization":{"binding":"HTTP-REDIRECT"}, + "token":{"binding":"HTTP-POST"}, + "userInfo":null, + "jwks":{"binding":"HTTP-REDIRECT"}, + "acs":{ + "binding":"HTTP-POST", + "type":"INSTANCE"}, + "sso":{ + "url":"http://{yourOktaDomain}/app/okta_org2org/exk78hrRdLRNV4EZY0g4/sso/saml", + "binding":"HTTP-POST", + "destination":"http://{yourOktaDomain}" + } + }, + "scopes":[], + "settings":{ + "nameFormat":"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", + "honorPersistentNameId":true + }, + "type":"SAML2", + "algorithms":{ + "response":{ + "signature":{ + "algorithm":"SHA-256", + "scope":"ANY" + } + }, + "request":{ + "signature":{ + "algorithm":"SHA-256", + "scope":"REQUEST" + } + } + }, + "credentials":{ + "trust":{ + "issuer":"http://{yourOktaDomain}/exk78hrRdLRNV4EZY0g4", + "audience":"https://{yourOktaDomain}/saml2/service-provider/spjhiydxfezknoimtoye", + "kid":"eb5c22a1-c2c2-484b-839f-2ca6d29fd519", + "revocation":null, + "revocationCacheLifetime":0 + }, + "signing":{"kid":"uiiidnMQ4_WXZlt-ovtrRKJDK6UivJfFSnrfN4nNdwg"} + } + }, + "policy":{ + "trustClaims":true, + "accountLink":{ + "action":"AUTO", + "filter":null + }, + "provisioning":{ + "action":"AUTO", + "profileMaster":false, + "groups":{"action":"NONE"} + }, + "maxClockSkew":120000, + "subject":{ + "userNameTemplate":{ "template":"idpuser.subjectNameId"}, + "filter":"", + "matchType":"USERNAME", + "matchAttribute":null + }, + "mapAMRClaims":false + }, + ..... +} +``` diff --git a/packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktasaml/idpupdateresponse.md b/packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktasaml/idpupdateresponse.md new file mode 100644 index 00000000000..b12f6695897 --- /dev/null +++ b/packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktasaml/idpupdateresponse.md @@ -0,0 +1,86 @@ +```JSON +{ + "id": "0oa78rktqwQbG2m9O0g4", + "name": "Org2Org", + "status": "ACTIVE", + "created": null, + "lastUpdated": "2025-01-15T19:45:16.000Z", + "protocol": { + "type": "SAML2", + "endpoints": { + "sso": { + "url": "http://{yourOktaDomain}/app/okta_org2org/exk78hrRdLRNV4EZY0g4/sso/saml", + "binding": "HTTP-POST", + "destination": "http://{yourOktaDomain}" + }, + "acs": { + "binding": "HTTP-POST", + "type": "INSTANCE" + } + }, + "algorithms": { + "request": { + "signature": { + "algorithm": "SHA-256", + "scope": "REQUEST" + } + }, + "response": { + "signature": { + "algorithm": "SHA-256", + "scope": "ANY" + } + } + }, + "settings": { + "nameFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", + "honorPersistentNameId": true + }, + "credentials": { + "trust": { + "issuer": "http://{yourOktaDomain}/exk78hrRdLRNV4EZY0g4", + "audience": "https://{yourOktaDomain}/saml2/service-provider/spjhiydxfezknoimtoye", + "kid": "eb5c22a1-c2c2-484b-839f-2ca6d29fd519", + "revocation": null, + "revocationCacheLifetime": 0 + }, + "signing": { + "kid": "uiiidnMQ4_WXZlt-ovtrRKJDK6UivJfFSnrfN4nNdwg" + } + } + }, + "policy": { + "provisioning": { + "action": "AUTO", + "profileMaster": false, + "groups": { + "action": "NONE" + }, + "conditions": { + "deprovisioned": { + "action": "NONE" + }, + "suspended": { + "action": "NONE" + } + } + }, + "accountLink": { + "filter": null, + "action": "AUTO" + }, + "subject": { + "userNameTemplate": { + "template": "idpuser.subjectNameId" + }, + "filter": "", + "matchType": "USERNAME", + "matchAttribute": null + }, + "maxClockSkew": 120000, + "mapAMRClaims": false, + "trustClaims": true + }, + ..... +} +``` diff --git a/packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktasaml/redirect.md b/packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktasaml/redirect.md new file mode 100644 index 00000000000..312d91a3873 --- /dev/null +++ b/packages/@okta/vuepress-site/docs/guides/configure-claims-sharing/main/oktasaml/redirect.md @@ -0,0 +1 @@ +Assertion Consumer Service (ACS) URL diff --git a/packages/@okta/vuepress-site/docs/guides/index.md b/packages/@okta/vuepress-site/docs/guides/index.md index e4fd0748b19..cc0d089974b 100644 --- a/packages/@okta/vuepress-site/docs/guides/index.md +++ b/packages/@okta/vuepress-site/docs/guides/index.md @@ -17,7 +17,7 @@ guides: - client-secret-rotation-key - common-hook-set-up-steps - configure-access-policy - - configure-amr-claims-mapping + - configure-claims-sharing - configure-ciba - configure-direct-auth-grants - configure-native-sso diff --git a/packages/@okta/vuepress-site/docs/release-notes/2025-okta-identity-engine/index.md b/packages/@okta/vuepress-site/docs/release-notes/2025-okta-identity-engine/index.md index 4141a19e9a9..29aba19cf48 100644 --- a/packages/@okta/vuepress-site/docs/release-notes/2025-okta-identity-engine/index.md +++ b/packages/@okta/vuepress-site/docs/release-notes/2025-okta-identity-engine/index.md @@ -8,6 +8,26 @@ title: Okta Identity Engine API release notes 2025 ## January +### Weekly release 2025.01.2 + +| Change | Expected in Preview Orgs | +|--------|--------------------------| +| [Authentication claims sharing between Okta orgs is EA in Preview](#authentication-claims-sharing-between-okta-orgs-is-ea-in-preview) | January 29, 2025 | +| [Bugs fixed in 2025.01.2](#bugs-fixed-in-2025-01-2) | January 29, 2025 | + +#### Authentication claims sharing between Okta orgs is EA in Preview + +Authentication claims sharing allows an admin to configure their Okta org to trust claims from IdPs during SSO. Sharing claims also allows Okta to interpret the authentication context from an IdP. This helps eliminate duplicate factor challenges during user authentication and helps improve security posture. See [Configure claims sharing](/docs/guides/configure-claims-sharing/oktasaml/main/). + +#### Bugs fixed in 2025.01.2 + +* When the Default Network Zone IP Exempt List feature was enabled for an org, an admin was able to delete the default example IP zone using the Zones API (`/api/v1/zones/{DefaultExemptIpZone ID}`). (OKTA-817263) +* The [List all principal rate limits](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/PrincipalRateLimit/#tag/PrincipalRateLimit/operation/listPrincipalRateLimitEntities) returned an empty response when querying with a custom `client_id` and using OAuth 2.0 for authentication. (OKTA-832687) +* When a super admin updated a deactivated user to a different realm, admins received a `Resource not found` error. (OKTA-699778) +* Events for tokens revoked in bulk for a resource didn't appear in the System Log. (OKTA-834025) +* Refresh tokens for OpenID Connect apps that have Single Logout enabled with user session details were getting invalidated before their max lifetime. (OKTA-730794) +* The `okta.accessRequests.catalog.read` scope was missing from the Okta Identity Governance APIs. (OKTA-846162) + ### Weekly release 2025.01.1 | Change | Expected in Preview Orgs | diff --git a/packages/@okta/vuepress-site/docs/release-notes/2025/index.md b/packages/@okta/vuepress-site/docs/release-notes/2025/index.md index 3998f726eac..0c33e1cf094 100644 --- a/packages/@okta/vuepress-site/docs/release-notes/2025/index.md +++ b/packages/@okta/vuepress-site/docs/release-notes/2025/index.md @@ -6,6 +6,25 @@ title: Okta Classic Engine API release notes 2025 ## January +### Weekly release 2025.01.2 + +| Change | Expected in Preview Orgs | +|--------|--------------------------| +| [Authentication claims sharing between Okta orgs is EA in Preview](#authentication-claims-sharing-between-okta-orgs-is-ea-in-preview) | January 29, 2025 | +| [Bugs fixed in 2025.01.2](#bugs-fixed-in-2025-01-2) | January 29, 2025 | + +#### Authentication claims sharing between Okta orgs is EA in Preview + +Authentication claims sharing allows an admin to configure their Okta org to trust claims from IdPs during SSO. Sharing claims also allows Okta to interpret the authentication context from an IdP. This helps eliminate duplicate factor challenges during user authentication and helps improve security posture. See [Configure claims sharing](/docs/guides/configure-claims-sharing/oktasaml/main/). + +#### Bugs fixed in 2025.01.2 + +* When the Default Network Zone IP Exempt List feature was enabled for an org, an admin was able to delete the default example IP zone using the Zones API (`/api/v1/zones/{DefaultExemptIpZone ID}`). (OKTA-817263) +* The [List all principal rate limits](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/PrincipalRateLimit/#tag/PrincipalRateLimit/operation/listPrincipalRateLimitEntities) returned an empty response when querying with a custom `client_id` and using OAuth 2.0 for authentication. (OKTA-832687) +* When a super admin updated a deactivated user to a different realm, admins received a `Resource not found` error. (OKTA-699778) +* Events for tokens revoked in bulk for a resource didn't appear in the System Log. (OKTA-834025) +* The `okta.accessRequests.catalog.read` scope was missing from the Okta Identity Governance APIs. (OKTA-846162) + ### Weekly release 2025.01.1 | Change | Expected in Preview Orgs | diff --git a/packages/@okta/vuepress-theme-prose/const/navbar.const.js b/packages/@okta/vuepress-theme-prose/const/navbar.const.js index 47be03ff193..88d03347f77 100644 --- a/packages/@okta/vuepress-theme-prose/const/navbar.const.js +++ b/packages/@okta/vuepress-theme-prose/const/navbar.const.js @@ -417,6 +417,7 @@ export const guides = [ ], }, { title: "Configure AMR claims mapping", guideName: "configure-amr-claims-mapping", hidden: true }, + { title: "Configure claims sharing", guideName: "configure-claims-sharing" }, { title: "Sign users out", guideName: "oie-embedded-sdk-use-case-basic-sign-out" }, { title: "Delete all Stay signed in sessions", guideName: "delete-all-stay-signed-in-sessions" }, { title: "Single Logout", guideName: "single-logout" }, diff --git a/packages/@okta/vuepress-theme-prose/global-components/AMROktatoOkta.vue b/packages/@okta/vuepress-theme-prose/global-components/AMROktatoOkta.vue deleted file mode 100644 index 959f7373e58..00000000000 --- a/packages/@okta/vuepress-theme-prose/global-components/AMROktatoOkta.vue +++ /dev/null @@ -1,17 +0,0 @@ - - - diff --git a/packages/@okta/vuepress-theme-prose/util/frameworks.js b/packages/@okta/vuepress-theme-prose/util/frameworks.js index 6b6aa6e52d5..4efb7653006 100644 --- a/packages/@okta/vuepress-theme-prose/util/frameworks.js +++ b/packages/@okta/vuepress-theme-prose/util/frameworks.js @@ -89,6 +89,8 @@ const COMMON_NAME_TO_FANCY_NAME = { saml: 'SAML', oktaresourceserver: 'Okta resource server', nonoktaresourceserver: 'Non-Okta resource server', + oktaoidc: 'Okta OIDC IdP', + oktasaml: 'Okta SAML 2.0 IdP', }; const COMMON_NAME_TO_ICON_NAME = { @@ -126,6 +128,8 @@ const COMMON_NAME_TO_ICON_NAME = { reactnativedroid: 'code-react-32', reactnativeios: 'code-react-32', spring: 'code-spring-32', + oktaoidc: 'openid-16', + oktasaml: 'advanced-sso-16-blue', }; const IDP_COMMON_NAME_TO_ICON_NAME = {