Connecting Mosaic with Okta

Add and Verify Domain on Mosaic

  1. Go to Mosaic Settings β†’ Authentication page. Under SAML 2.0 Single Sign On, click Manage Domains.

🚧

Please Note:

Only admins are able to access the Authentication tab on Mosaic settings.

  1. Select + Domain on the Verified Domains Modal.
  1. Enter a your email domain in the host name field. Click Add Domain.
  1. Newly added domain will appear on the modal with status Not Verified.
  1. Share the Hostname, Record Type (TXT), and Record Value with your DevOps team to update the domain’s DNS settings. Click Verify Ownership after completing the DNS configuration.
  1. The domain’s status will update to Verified.

πŸ“˜

Domains with status Not Verified display a Delete option and can be removed. Once a domain is marked as Verified, the Delete option is no longer available.


Initial Setup with Mosaic SAML

  1. Go to Mosaic settings β†’ Authentication β†’ SAML 2.0 Single Sign On and click Enable.

🚧

Please Note:

Only admins are able to access the Security tab on Mosaic settings.

  1. From the Mosaic SAML 2.0 Single Sign-On modal, take note of the ACS URL. This will be required when configuring Okta.
  2. Similarly, record the Entity ID from the same modal, as it will be used in a subsequent Okta configuration step.

Setup SAML on Okta

  1. Log in to your Okta Admin Dashboard.
  2. Navigate to Applications and click on Create App Integration.

  1. Choose SAML 2.0 as the Sign-in method and click Next.

  1. Under the General Settings tab, give your app a name and optional logo and click Next.

  1. Navigate to the Configure SAML tab:
    • Copy the ACS URL from Mosaic (refer to Step #2) and input it into Okta's Single sign-on URL field.
    • Copy the Entity ID from Mosaic (refer to Step #3) and input it into Okta'sAudience URI (SP Entity ID) field.
    • Leave the default values for the remaining fields and click Next.

  1. Navigate to the Application's main page and select the Sign On tab.
  2. Under Sign on methods > SAML 2.0 > More details > Sign on URL, take note of the Sign on URL, as it will be required for Mosaic setup in the subsequent steps.
  3. Under the SAML Signing Certificates section, click on Actions dropdown and select Download certificate.

  1. Open the downloaded Certificate using a text editor application, such as TextEdit on Mac or Notepad for Windows. Copy the entire content of the certificate, as you'll be pasting it into Mosaic in a subsequent step.

  2. Create Group

  • Navigate to Groups page under Directory, click Add group button
  • Enter group name and click Save
  • Click on the group you just created
  • Click Assign People on the page, then select users to add by clicking the + button on the right.

Back in the Mosaic SAML page:

  1. Back in Mosaic’s SAML 2.0 Single Sign On menu, fill in:
  • SSO URL:
    • SSO URL copied from Sign on URL in Step #10.
  • Certificate:
    • Certificate copied from Step #11.

Add Domain and Security Group on Mosaic page

  1. Click +Add Domain to select Domain for SAML set up. This will be the Domain associated with Google Workspace. For example, [email protected] has a domain of thisisdomain.com.

🚧

Please Note:

The email associated with the admin (who is setting up the SAML) must have the same domain as the one being inputted.

  • For example, if the admin uses an email [email protected], the only domain the admin could input is thisisdomain.com.

πŸ“˜

Both Verified and Unverified domains are displayed in the list. However, only Verified domains can be selected. Domains that are already added will appear greyed out.

  1. Configure the Security Group under the domain. Enter the security group name in the security group ID field. Choose the desired access level from the dropdown menu. Optional: Select Include accounts without a security group to allow accounts not assigned to any Security Group to log in while retaining their current access level.
  1. Click Done on the top once all configuration is completed.
  • Upon successful activation, SAML 2.0 Single Sign On will have the following options:

Next time a user with an email address belonging to the specified domain logs into Mosaic, they will be redirected to authenticate with Okta the moment they click Next after inputting their email.

  • Follow the on-screen prompts to download the Okta Verify app onto your mobile device. Then, scan the displayed QR Code to link your account.