Configuring Okta with SAML 2.0 SSO on HCL Discover

To upgrade to 12.2.2, perform the following prerequisite steps:

Prerequiste Installers

Procedure

Install hosting bundle (use version 6.0.31, for example dotnet-hosting-6.0.31-win.exe)
Install .NET Desktop Runtime (use same version 6.0.31)

Prerequisite Steps

Procedure

Create the Server Certificate for IIS, if not available already.
Use powershell command to create certificate.
Example: New-SelfSignedCertificate: -DnsName XXX.domain.com -CertStoreLocation cert:\LocalMachine\My

Changes on Portal after Upgrade

Procedure

Appsettings changes
1. Navigate to Discover <installed dir>\Portal\web\assets\data.
2. Open appsettings.json file in a text editor.
3. Replace {{localhost}} with Portal server IP in the following lines:
```
"prodUrl": "https://{{localhost}}/PortalAPI/api/",
"prodV1Url": "https://{{localhost}}/PortalV1/",
```
  Note: Only HTTPS URLs will work.
4. To use SAML
  1. In the following section, set Enabled to true.
```
"AuthConfig": {
	"AuthenticationSchemes": {
		"SAML2": {
			"Name": "SAML2",
			"Enabled": false,
			"SSOUrl": "{{API_BASE_URL}}Login/SAMLLogin",
			"SSOLogoutUrl": "",
			"SSOCertificate": "",
			"SSOEntityId": "",
			"SSONameIdFormat": "",
			"SSONameIdAttribute": ""
```
  2. Create a SAML application on Okta with the following mandatory values:
    - SSO (Single Sign-on) URL: It is the production URL (from appsettings.json) and /Login/AssertionConsumerService. For example, https://{{localhost}}/PortalAPI/api/Login/AssertionConsumerService.
    - Audience URI: It is recommended to use the same value as the application name. For example, CompanyProd.
    - Issuer Value Configured: Must be the same value as the Audience URI value. For example, CompanyProd.
  3. Navigate to Discover <installed dir>\Portal\api.
    1. Open appsettings.json file in a text editor.
    2. Update IdPMetadata and Issuer in the following section as per your configuration:
      "Saml2": { "IdPMetadata":"https://dev-44239760.okta.com/app/exkoiay91pI6zS7I35d7/sso/saml/metadata", "Issuer":"CompanyProd", "SignatureAlgorithm":"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", "CertificateValidationMode":"ChainTrust", "RevocationMode":"NoCheck", "LoginId":"email" }
      where,
      IdPMetadata:: is the meta data URL generated at OKTA.
      Issuer: is the application name that you created in OKTA.
    3. If the following configuration does not exist, copy the configuration and add it. If the following configuration exists, ensure that Enabled is set to true for SAML2:
      "AuthConfig": { "AuthenticationSchemes": { "SAML2": { "Name": "SAML2", "Enabled": true, "SSOUrl": "{{API_BASE_URL}}Login/SAMLLogin", "SSOLogoutUrl": "", "SSOCertificate": "", "SSOEntityId": "", "SSONameIdFormat": "", "SSONameIdAttribute": "" }, "NT": { "Name": "NT", "Enabled": false } } }
Web.config file changes:
1. Navigate to Discover <installed dir>\Portal\WebApp.
2. Open web.config file in a text editor.
  1. Under <appSettings> section, add the following lines:
```
<add key="owin:AutomaticAppStartup" value="false" />
<add key="BaseUrl" value="https://Portal_ip/Portalapi/api/" />
```
  2. Under <customHeaders>, for Content-Security-Policy tag, add machine as shown in the following example:
```
<add name="Content-Security-Policy" value="frame-ancestors &#39;self&#39;https://Portal_ip https://localhost;" />
```
  3. Comment out the following sections:
    - Section 1
         
    - Section 2
        
    - Section 3
      
Confirm that the AppPool settings are as shown in the following example. If not, manually change as shown in the following example:
1. Portal with PortalWebAppPool
2. PortalAPI with PortalAPIAppPool
3. PortalV1 with DefaultAppPool