Configuring Okta as SAML provider for Symantec Mobility Suite

What is Symantec Mobility Suite?

Symantec Mobility Suite securely serves up apps to mobile devices and implements remote device management services. Symantec Mobility Suite manages apps and app distribution. New and updated apps are uploaded into Symantec Mobility Suite, and distributed at your command.

Push notifications are sent directly to mobile users when new or updated apps are available. Mobile users install apps directly to their device using the Work Hub.

Symantec Mobility Suite distribution is regulated by group policy, preventing unauthorized access.

How SAML Based authentication works:

Here Service Provider (SP) refers to Symantec Mobility Suite and Identity Provider (IDP) refers to OKTA

Request target resource at the Service provider The user attempts to reach a hosted Symantec application say for example: https://mycompany.appcenterhq.com
Request target resource at the Service provider The service provider performs a security check on behalf of the target resource. Service provider generates a SAML authentication request. This SAML request is encoded and embedded into the URL for partners SSO service.
Respond with XHTML form Service provider sends a redirect to user browser. The SAML request encoded in the previous step is embedded in the URL and sent to the browser.
Request the Service at the IdP  The user agent issues a POST request to the service at the identity provider where the values of the SAMLRequest and RelayState parameters are taken from the XHTML form at step 2
Identity Provider operation Identity Provider parses SAML request, authenticates user and generates a SAML response.
Respond with an XHTML form: The service validates the request and responds with a document containing an XHTML form. Identity Provider returns the encoded SAML response to the browser. The browser then sends the SAML response to the service provider.
Request the Assertion Consumer Service (ACS) at the Service Provider
 ACS verifies the SAML response using the partner’s public key. If the response is successfully verified, ACS redirects the user to the destination URL.
Redirect to the target resource The user has been redirected to the destination URL and is logged in to Symantec Work Hub.

Configuring SAML as an external identity provider

Symantec Mobility Suite supports using the Security Assertion Markup Language

(SAML) protocol to act as an external identity provider (IDP). Symantec Mobility Suite can use the SAML server to authenticate users to access the Mobility Manager, the End-User Portal, the Work Hub, and any wrapped apps that require authentication.

SAML provides Web-based authentication and authorization and single sign-on (SSO) capabilities.

When we configure Symantec Mobility Suite to use SAML, Symantec Mobility Suite acts as a service provider. The user connects to Symantec Mobility Suite. Symantec Mobility Suite causes the user’s browser or native app to redirect to the SAML server (OKTA). Once the SAML server has authenticated the user, the server forwards the user back to Symantec Mobility Suite. This whole process is transparent to the user.

The workflow to configure SAML as an external identity provider is as follows:

1. Set up the server configuration.

The way you set up your server configuration depends on whether or not your SAML server requires specific information from Symantec Mobility Suite for the integration. If it does, you download an XML file from Mobility Manager that contains this information and provide it to your SAML server provider. Your SAML server provider in turn provides you with the required IDP metadata file that you upload into Mobility Manager.

2. Configure the authentication options.

Your SAML Server's User Store and Symantec Mobility Suite have slightly different naming conventions to identify the same attributes. For example, Mobility Manager has an attribute EMailAddress, which contains the user's full email address. In a User Store, the same value might use the attribute mail. Your SAML implementation may vary slightly. However, these are the same attributes, they just use a different moniker. Mobility Manager requires four attributes: Username, FirstName, LastName, and EMailAddress.

3. Enable the external IDP.

After you enable SAML as the IDP, all URL requests to https://mycompany.appcenterhq.com are redirected to the SAML provider for authentication. To log in using the local IDP, you must use the following URL:
https://mycompany.appcenterhq.com/admin

To complete this workflow, we need to have the following:

A SAML metadata file

Each SAML server distributes its information through a single file typically referred to as the metadata file. This file is in XML format and contains all the information needed to connect to it as well as any information needed to authenticate and parse the SAML replies. Obtain this metadata file from the SAML server.

SP Partner ID

Some SAML servers need extra information in the SAML request forwarded to them. If your SAML server requires this additional information, obtain the SP Partner ID before you begin this workflow.

SP Entity ID

Some SAML servers require extra information be included in the URL used to forward the request. Know the SP Entity ID before you begin this workflow.
The service provider entity ID must be written exactly the same as it is in the metadata file.

SAML Attributes:

Know the names of the attributes in your SAML User Store that you want to map to the corresponding App Center attributes:
Username; FirstName, LastName, and EMailAddress

Here are the steps to configure Symantec Mobility Suite to use SAML IDP (OKTA) for authentication:

First you need to create an enterprise tenant.
Login to an enterprise tenant (Example: https://mycompany.appcenterhq.com)

In the Mobility Manager, click Settings > External Identity Provider - > Server Configuration.

On the Server Configuration page, click the Type drop-down list and select SAML.
In the Name box, type a name for the configuration (ex: mycompany)
We can leave SP Partner ID field empty.
In the SP Entity ID, provide the service provider entity ID as below:
https://mycompany.appcenterhq.com/appstore/saml2/consumer
Your SAML provider will provide you with this ID. It must be typed exactly as given to you by the provider.
Click Download SP Metadata File. We will have file called “mycompany.appcenterhq.com-sp-metadata.xml” downloaded on the system.
This will be looking as below:

<?xml version='1.0' encoding='UTF-8'?>
<ns0:EntityDescriptor xmlns:ns0="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ns1="http://www.w3.org/2000/09/xmldsig#" entityID="https://mycompany.appcenterhq.com/appstore/saml2/consumer" validUntil="2015-01-28T18:02:01Z"><ns0:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><ns0:KeyDescriptor><ns1:KeyInfo><ns1:X509Data><ns1:X509Certificate>MIIFXTCCBEWgAwIBAgIQdDI+fXPHNwpiY4QyyYMwVzANBgkqhkiG9w0BAQsFADCB
vDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDE2MDQGA1UEAxMt
VmVyaVNpZ24gQ2xhc3MgMyBJbnRlcm5hdGlvbmFsIFNlcnZlciBDQSAtIEczMB4X
DTEzMTIxOTAwMDAwMFoXDTE2MTIxOTIzNTk1OVowgZExCzAJBgNVBAYTAlVTMRMw
EQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHFA1Nb3VudGFpbiBWaWV3MR4wHAYD
VQQKFBVTeW1hbnRlYyBDb3Jwb3JhdGlvbiAxGzAZBgNVBAsUEk1vYmlsaXR5IFNv
bHV0aW9uczEYMBYGA1UEAxQPYXBwY2VudGVyaHEuY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAwqLKYspaWu1dtJvNsi4jfRypXBvwIw36D3tMA6zF
SudlKOFhb/brXTYeW7IaZX3B66+P/CNSajZe4x7cBACIPbBfxf9f8H5N3W4AYycr
Br8OT6FOu1vki6PqjDZoz5i05rXct8gMN/uxiby8yUSolxwgVSzpqwb+PSSrzHtC
t8u41nM0cpS+pwe59ZAUpoBMDdQCg2Bq27uPJfZ31i6Sxwf0nbh7k/o/iSg7uuiA
3bEhSlfLroraWv0wn2dDuA3Qo5dUGoOydqssAMK5KyHnS0+qvw6+viobMiYPtBHo
9zYzCipr3cXzbO1Hax/IN155W8qOn2jsqy4NzrmkiWKNOwIDAQABo4IBgjCCAX4w
GgYDVR0RBBMwEYIPYXBwY2VudGVyaHEuY29tMAkGA1UdEwQCMAAwDgYDVR0PAQH/
BAQDAgWgMCgGA1UdJQQhMB8GCCsGAQUFBwMBBggrBgEFBQcDAgYJYIZIAYb4QgQB
MEMGA1UdIAQ8MDowOAYKYIZIAYb4RQEHNjAqMCgGCCsGAQUFBwIBFhxodHRwczov
L3d3dy52ZXJpc2lnbi5jb20vY3BzMB8GA1UdIwQYMBaAFNebfNgioBX33a1fzimb
WMO8RgC1MEEGA1UdHwQ6MDgwNqA0oDKGMGh0dHA6Ly9TVlJJbnRsLUczLWNybC52
ZXJpc2lnbi5jb20vU1ZSSW50bEczLmNybDByBggrBgEFBQcBAQRmMGQwJAYIKwYB
BQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlzaWduLmNvbTA8BggrBgEFBQcwAoYwaHR0
cDovL1NWUkludGwtRzMtYWlhLnZlcmlzaWduLmNvbS9TVlJJbnRsRzMuY2VyMA0G
CSqGSIb3DQEBCwUAA4IBAQBfqCivzxRD1/clrQehpCPhjwDEIZ5yPOmNmaGWw4MJ
jyPZPDLWVSOds8sdUYFD/jRDE0crngz/dl8XmDJJfiG0hy3oKzTQnoTJXnymSTQ6
LLKCeQiHLJZgO87F2SZVXWfN1HF8tG4DSv7L6NrmH0KG9VaI/8AQ7SlRHxz/S7XO
5OAA6/ulrumixNOZERiJWW6azRhsZkEPfKikWXWjA/16eD22vL7VpXcmGmzmv+0k
cHIH+w6UYumdti3wQvO9GlUx4kiC3fKExFJXy0EeohvoQ+kBH+Kb3HJB0C6LmfDq
OB1n5oK/QUJZAarJFIeXwNgnWg2OSm0USQHjE0bBqVtJ
</ns1:X509Certificate></ns1:X509Data></ns1:KeyInfo></ns0:KeyDescriptor><ns0:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://mycompany.appcenterhq.com/appstore/saml2/consumer" index="1" /><ns0:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mycompany.appcenterhq.com/appstore/saml2/consumer" index="2" /><ns0:AttributeConsumingService index="1"><ns0:ServiceName xml:lang="en">mycompany</ns0:ServiceName><ns0:ServiceDescription xml:lang="en">https://mycompany.appcenterhq.com/appstore/saml2/consumer</ns0:ServiceDescription><ns0:RequestedAttribute Name="first" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true" /><ns0:RequestedAttribute Name="last" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true" /><ns0:RequestedAttribute FriendlyName="email" Name="urn:oid:1.2.840.113549.1.9.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true" /><ns0:RequestedAttribute Name="guid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true" /></ns0:AttributeConsumingService></ns0:SPSSODescriptor><ns0:Organization><ns0:OrganizationName xml:lang="en">CompanyName</ns0:OrganizationName><ns0:OrganizationDisplayName xml:lang="en">CompanyName</ns0:OrganizationDisplayName><ns0:OrganizationURL xml:lang="en">https://mycompany.appcenterhq.com/appstore/saml2/consumer</ns0:OrganizationURL></ns0:Organization><ns0:ContactPerson contactType="technical"><ns0:GivenName>FirstName</ns0:GivenName><ns0:SurName>LastName</ns0:SurName><ns0:EmailAddress>mycompany@company.com</ns0:EmailAddress><ns0:EmailAddress>mycompany@company.com</ns0:EmailAddress></ns0:ContactPerson></ns0:EntityDescriptor>

With this information, now we need to go to OKTA to configure some of the information we got from the above meta-data file. We should be having OKTA admin account to setup the template SAML2.0 for Symantec Mobility Suite.
1. Login to OKTA URL: https://mycompany.okta.com
2. Click “Administration” option on the right side
3. Select “Applications” tab and click “Add Application” option on the right side
4. Enter “Template SAML2.0 App” on the search box “search for an application

Click the “Add” button on the right side. You can see the screen shown as below.
Enter the Application Label as “Symantec Mobility Suite”. This you can give any name. Configure the following attributes as below. Once after you configured this, please confirm with Symantec Mobility Suite team on all the attributes value. You can also refer the OKTA help page URL for more info on SAML 2.0 setup
https://support.okta.com/entries/23364161-Configuring-Okta-Template-SAML...
PostBack URL : https://mycompany.appcenterhq.com/appstore/saml2/consumer
Name ID Format : Transient
Recipient: https://mycompany.appcenterhq.com/appstore/saml2/consumer
Audience Restriction : https://mycompany.appcenterhq.com/appstore/saml2/consumer
Response: Unsigned
Assertion : Unassigned
Request:Uncompressed
Destination: https://mycompany.appcenterhq.com/appstore/saml2/consumer
Attribute Statements:
EMailAddress|${user.email},FirstName|${user.firstName},LastName|${user.lastName},Username|${user.userName}
Once after you have configured all the required attributes, click the Save button.
Now click the “Sign on” tab.
Click the button “View setup Instructions”. This will open a URL in a new tab. This has most important attributes that we need to give it to Symantec Mobility Suite as IDP metadata
Copy the IDP metadata content to an XML file. This XML file will be looking like this

<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://www.okta.com/kkln23l2BDMINJVMLAPY"><md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIICnzCCAgigAwIBAgIGAT8bhB5tMA0GCSqGSIb3DQEBBQUAMIGSMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
MBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCnRlc3Rub3J0b24xHDAaBgkqhkiG9w0BCQEW
DWluZm9Ab2t0YS5jb20wHhcNMTMwNjA2MjIwMjMwWhcNNDMwNjA2MjIwMzMwWjCBkjELMAkGA1UE
BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNV
BAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDAp0ZXN0bm9ydG9uMRwwGgYJ
KoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCEPIhU
hnW8wb/hTGL4Hwjy4J/lN+6QXnSEglMYymOo0WS2N2BjJcYB6vQfQGrQx4AH/CrJ3WCkUf+W00OE
rrSk3MY4jAFxfLsqcPsW+vRnhHhp1+RlTKw2LBRAepR1eVECTLtZovLiGdmoUgLGb9NaxBuvl3j2
cROXkSH7TddXIQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBABpn2ynV4+lkX85rZf4y8dYAfjpTBZCr
mWLVJvX6ro9zuMccAE1KtWTenaRTgtJwh2gGZzWKNiHs6zJBjhGsvzwroDF9iMKUz/PPSkYqtWRa
zYOGsiWXxrrNlIMBW/PWIs1/DfSK3+qGbTA4MoYfCoR5OjHYuf81xO7UVXLcVnhz</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://testnorton.okta.com/app/template_saml_2_0/kkln23l2BDMINJVMLAPY/sso/saml"/><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://testnorton.okta.com/app/template_saml_2_0/kkln23l2BDMINJVMLAPY/sso/saml"/></md:IDPSSODescriptor></md:EntityDescriptor>

Modify this XML to include following four attributes Symantec Mobility Suite is expecting.

<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="FirstName" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
    <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="LastName" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
    <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="EMailAddress" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
    <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="Username" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>

After including the above attributes, XML will be looking as below

<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://www.okta.com/kkln23l2BDMINJVMLAPY"><md:IDPSSODescriptor
    WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIICnzCCAgigAwIBAgIGAT8bhB5tMA0GCSqGSIb3DQEBBQUAMIGSMQswCQYDVQQGEwJVUzETMBEG
    A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
    MBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCnRlc3Rub3J0b24xHDAaBgkqhkiG9w0BCQEW
    DWluZm9Ab2t0YS5jb20wHhcNMTMwNjA2MjIwMjMwWhcNNDMwNjA2MjIwMzMwWjCBkjELMAkGA1UE
    BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNV
    BAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDAp0ZXN0bm9ydG9uMRwwGgYJ
    KoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCEPIhU
    hnW8wb/hTGL4Hwjy4J/lN+6QXnSEglMYymOo0WS2N2BjJcYB6vQfQGrQx4AH/CrJ3WCkUf+W00OE
    rrSk3MY4jAFxfLsqcPsW+vRnhHhp1+RlTKw2LBRAepR1eVECTLtZovLiGdmoUgLGb9NaxBuvl3j2
    cROXkSH7TddXIQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBABpn2ynV4+lkX85rZf4y8dYAfjpTBZCr
    mWLVJvX6ro9zuMccAE1KtWTenaRTgtJwh2gGZzWKNiHs6zJBjhGsvzwroDF9iMKUz/PPSkYqtWRa
        zYOGsiWXxrrNlIMBW/PWIs1/DfSK3+qGbTA4MoYfCoR5OjHYuf81xO7UVXLcVnhz</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mycompany.okta.com/app/template_saml_2_0/kkln23l2BDMINJVMLAPY/sso/saml"/><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://mycompany.okta.com/app/template_saml_2_0/kkln23l2BDMINJVMLAPY/sso/saml"/><saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="FirstName" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
    <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="LastName" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
    <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="EMailAddress" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
    <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="Username" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
</md:IDPSSODescriptor></md:EntityDescriptor>

When you have an IDP metadata file from your SAML provider, save it to a location that you can access from Mobility Manager.

Now goto Mobility Manager. Click Settings->External Identity Provider->Server Configuration
1. Beside IDP Metadata, click Browse and select the IDP metadata xml file.
2. Click “Save”

Once after saved the changes, click “Auth. Options” and configure the attribute as below

Save and “Enable IDP” option.
Once after the configuration setup is done, click the URL https://mycompany.appcenterhq.com
User should be taken to OKTA login screen for authentication