Configuring an Okta Instance
Use the following settings when configuring PayNearMe on your Okta instance, which will use these settings to generate the SAML certificate for your site.
Sandbox vs. Production
The settings below are for the sandbox environment. You will need to generate a new certificate for the production environment.
General Settings
| URL/Setting | Description |
|---|---|
| Single Sign-On URL | https://pro.paynearme-sandbox.com/users/saml/auth |
| Recipient URL | https://pro.paynearme-sandbox.com/users/saml/auth |
| Destination URL | https://pro.paynearme-sandbox.com/users/saml/auth |
| Audience Restriction | https://pro.paynearme-sandbox.com/users/saml/metadata |
| Default Relay State | https://pro.paynearme-sandbox.com/ |
| Name ID Format | EmailAddress |
| Response | Signed |
| Assertion Signature | Signed |
| Signature Algorithm | RSA_SHA256 |
| Digest Algorithm | SHA256 |
| Assertion Encryption | Unencrypted |
| SAML Single Logout | Disabled |
| SAML Signed Request | Disabled |
| authnContextClassRef | PasswordProtectedTransport |
| Honor Force Authentication | Yes |
| Assertion Inline Hook | None (disabled) |
| SAML Issuer ID | http://www.okta.com/${org.externalKey} |
Attribute Statements
| Name | Name Format | Value |
|---|---|---|
| first_name | Basic | user.firstName |
| last_name | Basic | user.lastName |
| site | Basic | S9777824017 |
| user_type | Basic | user.userType |
Generating Connection Values
After generating and sending PayNearMe the SAML certificate for your site, we’ll use the certificate to generate the Identity Provider Entity ID, certificate fingerprints, and SSO target URL for your configuration.
| Parameter | Description | Example |
|---|---|---|
| IdP Entity ID | An Identity Provider (IdP) Entity ID is a globally unique name for a SAML entity (i.e., your Identity Provider (IdP) or Service Provider (SP)). It is how other services identify your entity. Typically, this is an absolute URL. This value should be part of the Metadata file presented and/or provided to PayNearMe. | entityID="<http://www.okta.com/exkr65l0x9g4UPsAT357"> entityID="<https://sts.windows.net/71746222-2484-428d-b5d0-732100c32f47/"> |
| SP Entity ID | The SP Entity ID is a URL where a service provider publishes public information about its SAML configuration. The metadata document published by the service provider shows its public certificate that can be used to verify the signature of authentication requests initiated from the service itself. This ID typically includes the business name, environment, and type of SSO configuration. | BusinessName-Environment-ssoType toysrus-production-okta |
| Idp Cert Fingerprint | The Identity provider (Idp) certificate fingerprint is exchanged out-of-band between the sender and the receiver and is configured on the receiving end. It uniquely identifies a certificate with the public key that the sender uses to sign the SAML messages that it sends. In most cases a client will supply PayNearMe with a X509 certificate within a metadata file which then needs to be converted into a fingerprint. For example, <x509 Certificate>MIIC8DCCAdigAwIBA….r61ShvRg\</x509 Certificate> | B1:5F:6B:40:D7:07:03:D8:63:BD:B3:52:FD:E1:5C:1C:78:EC:0B:5D:D2:46:B4:36:E7:2A:01:4D:C7: 34:9F:83) |
| IdP Cert Fingerprint Algorithm | Use the SignatureMethod property to specify the algorithm to use for signature generation and verification. This property identifies all cryptographic functions involved in creating an XML digital signature, including hashing, public key algorithms, Message Authentication Codes (MACs), and padding. | http://www.w3.org/2000/09/xmldsig#sha256 |
| SSO Target URL | The identity provider portal URL where users will sign-on. | https://oktapreview.com/app/paynearmedev\_sandbox/exkiujss281pOa3ZT0h7/sso/saml |
Updated 9 months ago