Juniper Networks SSL VPN Integration Guide Skip to main content
https://support.okta.com/help/oktaarticledetailpage?childcateg=&id=ka0f0000000ay1okag&source=documentation&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fdocumentation%2fknowledge_article%2f84143616-juniper-networks-ssl-vpn-integration-guide
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Average Rating:
Juniper Networks SSL VPN Integration Guide
Published: Jan 12, 2015   -   Updated: Feb 14, 2017

A link to a PDF version of this article is at the end of this article.

Introduction
     Overview
     Terms
Setting Up an Authentication Server
Creating a User Role
Creating a User Realm
Setting Up Your Sign-In URL


top

Introduction

This document describes how to integrate an Okta organization with a Juniper Instant Virtual Extranet (IVE), so that users can connect from Okta to an IVE server using SAML, and then SSO into a target application or resource.

top

Overview

Following is a brief overview of the steps required to integrate an Okta organization with a Juniper IVE:

  1. An administrator must configure an IVE instance in their Okta organization.
  2. Sign into IVE and configure it to accept SAML assertions from Okta.
  3. Create an Authentication Server.
  4. Create a User Role that maps users to a managed resource on the IVE.
  5. Create a target Authentication Realm that you associate with the Target App URL/Resource.
  6. Map users in your Authentication Realm to a User Role.
  7. Create a target application Sign-In URL that you pass to the IVE via the Okta SAML assertion target.
  8. After you set up the IVE to receive SAML assertions from OKTA, you can assign the IVE instance to end users.

After completing these steps, users can click an application icon on their home page and SSO to the target application (resource) managed by the IVE.

Figure 1. Okta Integration Overview

juniper_ive01.png 

top

Terms

The following is a list of terms and values that are used in this guide:

  • Authentication Server: Okta_SAML_AUTH_SERVER
  • User Role: Okta_SSO_USER_ROLE
  • Realm: Okta_SAML_SSO_REALM
  • Sign-In URL: Target Field of SAML assertion
  • Target-App-URL: Sign-in URL of desired app or resource that is managed by the IVE.

top

Setting Up an Authentication Server

Do the following:

  1. From your Okta Administrative Dashboard, select Application > New Application and enter “template” in the search bar. Choose the SAML 2.0 Template. See figures 2–5 below.
  2. Sign into your Juniper IVE Admin Manager.
  3. Create a new authentication server, and name it Okta_SAML_AUTH_SERVER. Select Authentication, click Auth Servers, select SAML server from the New drop-down menu, and click New Server.
  4. Complete the fields for your new authentication server:
  • Server Name: Enter a name that can be easily identified.
  • Source Site Inter-Site Transfer Service URL: Copy and paste the post-back URL from Okta SAML setup instructions.
  • Issuer Value for Source Site: Copy and paste issuer value from Okta SAML setup instructions.
  • User Name Template: Enter <userAttr.cn>
  • Allowed Clock Skew (minutes): Enter the difference between the IVE and Okta server.
  • SSO Method: Select Post.
    • Upload the certificate provided in the Okta SAML setup instructions.
    • Make sure Enabled Signing Certificate status checking is not checked.
  1. Click the  Save Changes button.

Figure 2. Setting Up the Application in Okta

juniper_ive02.png

Figure 3. Setting Up the Application in Okta

juniper_ive03.png

Figure 4. Setting Up the Application in Okta

juniper_ive04.png

Figure 5. Setting Up an Authentication Server

juniper_ive05.png

juniper_ive06.png

juniper_ive07.png

top

Creating a User Role

This section describes how to create a new role to map users in the Okta_SAML_SSO_REALM. Name this role Okta_SSO_USER_ROLE.

  1. Select Users > User Roles > New Role.
  2. Select General, click the Overview tab, and complete the following fields:
  • Name: Okta_SSO_USER_ROLE
  • Description: Enter a description.
  • Make sure the following are selected in Options:
    • Select Session/Options.
    • Select UI/Options.
    • In Access Features, select Web.
  1. Click the Save Changes button.

Figure 6. Creating a User Role

juniper_ive08.png

  1. On the same page, click the Web tab and select Bookmarks.
  2. Create a new bookmark to the target application or resource the IVE is managing. Name this URL TARGET_APP_URL.
  3. Under Type, choose a Web Resource Profile.
  4. Enter a name in the Name field.

Figure 7. Creating a New Bookmark

juniper_ive09.png

  1. Staying on the same page, select General and click UI Options.
  2. Under Start Page, select Custom Page.
  3. In the start page URL field, enter TARGET_APP_URL. This is the sign-in page URL for the target application or resource that you created in “Creating a User Role.”

    For example, https://www.yammer.com/login

    Make sure you check Also allow access to directories below URL.
  1. Click Save.

Figure 8. Setting the Start Page

juniper_ive10.png

top

Creating a User Realm

Do the following:

  1. Create a new realm to associate with your Okta_SAML_AUTH_SERVER authentication server. Name the realm Okta_SAML_SSO_REALM.
  2. Select Users, click User Realms,and then click New.
  3. Create a new User Authentication Realm and complete the following fields:
  • Name: Okta_SAML_SSO_REALM
  • Description: Enter SAML SSO Realm.
  • Authentication: Select Okta_SAML_AUTH_SERVER (created in “Setting Up an Authentication Server.”)

Figure 9. Creating a User Realm

juniper_ive11.png 

  1. On the same page, click the Role Mapping tab.
  2. Click New Rule and complete the following fields:
  • Rule Based on: Select Username
  • Name: Okta_SAML_SSO_RULE
  • Set Rule: If Username… to is: “*”
  • Assign these roles: Set to Okta_SSO_USER_ROLE.
  1. Click Save Changes.

Figure 10. Creating a New Rule

 juniper_ive12.png

top

Setting Up Your Sign-In URL

  1. Select Authentication and click Signing In.
  2. Click New URL.
  3. Edit your new Sign-In URL as follows:
  • Sign-In URL: The Sign-In URL is passed into the IVE from the SAML Assertion POST. Enter the Sign-In URL for Okta to complete the Okta IVE configuration.
  • Select User picks from a list of authentication realms and then select Okta_SAML_SSO_REALM.
  1. Click the Save Changes button.

Figure 11. Editing a Sign-In URL

juniper_ive13.png 

This step completes your integration. Your users can now authenticate using SAML from Okta to an IVE server and then SSO into the target application or resource.

Post a Comment