Configuring Okta with SAML 2.0 SSO on HCL Discover

To upgrade to 12.2.0, perform the following prerequisite steps:

Prerequiste Installers

Procedure

  1. Install hosting bundle (use version 6.0.31, for example dotnet-hosting-6.0.31-win.exe)
  2. Install .NET Desktop Runtime (use same version 6.0.31)

Prerequisite Steps

Procedure

  1. Create the Server Certificate for IIS, if not available already.
  2. Use powershell command to create certificate.
    Example: New-SelfSignedCertificate: -DnsName XXX.domain.com -CertStoreLocation cert:\LocalMachine\My

Changes on Portal after Upgrade

Procedure

  1. Appsettings changes
    1. Navigate to Discover <installed dir>\Portal\web\assets\data.
    2. Open appsettings.json file in a text editor.
    3. Replace {{localhost}} with Portal server IP in the following lines: 
      "prodUrl": "https://{{localhost}}/PortalAPI/api/",
"prodV1Url": "https://{{localhost}}/PortalV1/",
      Note: Only HTTPS URLs will work.
    4. To use SAML
      1. In the following section, set Enabled to true.
        "AuthConfig": {
	"AuthenticationSchemes": {
		"SAML2": {
			"Name": "SAML2",
			"Enabled": false,
			"SSOUrl": "{{API_BASE_URL}}Login/SAMLLogin",
			"SSOLogoutUrl": "",
			"SSOCertificate": "",
			"SSOEntityId": "",
			"SSONameIdFormat": "",
			"SSONameIdAttribute": ""
      2. Create a SAML application on Okta with the following mandatory values:
        • SSO (Single Sign-on) URL: It is the production URL (from appsettings.json) and /Login/AssertionConsumerService. For example, https://{{localhost}}/PortalAPI/api/Login/AssertionConsumerService.
        • Audience URI: It is recommended to use the same value as the application name. For example, CompanyProd.
        • Issuer Value Configured: Must be the same value as the Audience URI value. For example, CompanyProd.
      3. Navigate to Discover <installed dir>\Portal\api.
        1. Open appsettings.json file in a text editor.
        2. Update IdPMetadata and Issuer in the following section as per your configuration:
          "Saml2": {
	"IdPMetadata":"https://dev-44239760.okta.com/app/exkoiay91pI6zS7I35d7/sso/saml/metadata",
	"Issuer":"CompanyProd",
	"SignatureAlgorithm":"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
	"CertificateValidationMode":"ChainTrust",
	"RevocationMode":"NoCheck",
	"LoginId":"email"
}
  2. Web.config file changes:
    1. Navigate to Discover <installed dir>\Portal\WebApp.
    2. Open web.config file in a text editor.
      1. Under <appSettings> section, add the following lines:
        <add key="owin:AutomaticAppStartup" value="false" />
<add key="BaseUrl" value="https://Portal_ip/Portalapi/api/" />
      2. Under <customHeaders>, for Content-Security-Policy tag, add machine as shown in the following example:
        <add name="Content-Security-Policy" value="frame-ancestors &#39;self&#39;https://Portal_ip https://localhost;" />
      3. Comment out the following sections:
        • Section 1
          <!-- Authentication settings -->
	<!-- <authentication mode="Forms"> -->
	<!-- <forms loginUrl="Default.aspx" protection="All" name="TLAuthCookie" path="/" slidingExpiration="true"/> -->
	<!-- </authentication> -->
        • Section 2
          <!-- <authorization> -->
	<!-- <deny users="?" /> -->
	<!-- </authorization> -->
        • Section 3
          <!-- <add name="Clear-Site-Data" value="&"storage&"" /> -->
  3. Confirm that the AppPool settings are as shown in the following example. If not, manually change as shown in the following example:
    1. Portal with PortalWebAppPool
    2. PortalAPI with PortalAPIAppPool
    3. PortalV1 with DefaultAppPool