Configuring Okta SSO for MadKudu

You can use Okta as your identity provider to authenticate users to MadKudu. MadKudu supports SAML SSO initiated by both Okta (identity provider) and MadKudu (service provider).

Prerequisites

• You have a MadKudu account with Admin permissions

• You have your MadKudu tenant number 

• Your company has an existing Okta account to set up SAML SSO

• You have Admin permissions for your company's Okta account

Overview

Single sign-on allows you to log in to your company's MadKudu account using your Okta company credentials. A connection is made between Okta, the identity provider (idP), and MadKudu, the service provider (SP), to allow users to directly connect to their MadKudu account.

Once you configured your company Okta account with MadKudu, you can follow these instructions to manage users.

1. Add the MadKudu custom app to Okta

1. In the Okta console, go to Applications.

2. Click Create App Application. 

    

3. Select SAML 2.0 and click Next

   

4. This will take you to the General Settings page.

   • App Name: MadKudu

   • App logo: Grab the one from our website in google images 

     

   • App visibility: unchecked 

5. Click Next. This will take you to the Configure SAML page.

   • Single sign-on URL: https://bongo.madkudu.com/v1/login/saml/XXXX, where XXXX is your tenant number. When you connect to app.madkudu.com you can see the tenant number in the URL 

       

   • Check Use this for Recipient URL and Destination URL

   • Audience URI (SP Entity ID): https://bongo.madkudu.com/v1/login/saml/XXXX, where XXXX is your tenant number which can be provided to you by our support team if you submit a support ticket.

   • Default RelayState: Leave blank.

   • Name ID Format: Select EmailAddress.

   • Application username: Select Okta username.

   • Click Show Advanced Settings.

     
     

   • Response: Choose Signed.

   • Assertion Signature: Choose Unsigned.

   • Signature Algorithm: Choose RSA-SHA256.

   • Digest Algorithm: Choose SHA256.

   • Assertion Encryption: Leave as Unencrypted.

   • Signature Certificate: Download the certificate and upload it:

     certificate_okta_madkudu_2024_2027

     1.42 KB

     
     If you are unable to download the certificate, copy paste the text below in a text or code editor and "Save as" with a .pem extension: 
     

     -----BEGIN CERTIFICATE-----
     MIIEBDCCAuygAwIBAgIUewpr2QmqAeKzZfYm/M1opYe+IcYwDQYJKoZIhvcNAQEL
     BQAwGjELMAkGA1UEBhMCRlIxCzAJBgNVBAMMAkNBMB4XDTI0MTEwNTEyNDYxNFoX
     DTI3MTEwNTEyNDYxNFowGjELMAkGA1UEBhMCRlIxCzAJBgNVBAMMAkNBMIICIjAN
     BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAx9/B8s8rLqIl1zRHIwW30JsQ0GPs
     hzlrSpmcocPxODmHtyeBbloz4jpxmZNV/NSalFV45lqtd0a9VuGgoZB85yoH739f
     gVCsYLSgYc27GzIJZZNu488EebaIR8mVxaaArPW5L9QuUQuqP87T7uPuPt4xXwaR
     Hk4rSshPorEl3lp5PyueqSKWecLp+rAgDdIn2SlvZm+FR9kF/Iodml6CNq7nD+dP
     FAYPKRGRJI8ZOMaVKBDBAh/oG6sXzA96JHSQbkEpK2YtiPskh8ePeRjHt91uFKdN
     T2S/qFst6AHkQsR/Cpv5XsTggLOQCcDrpevbjgaBDUeV1uyy9DzK6a+5LBaC2cxt
     eCNBWXn+pUSOboL3Jo4j4ILk62tcBMVZE+CLpvz92mQ/oMaIA2BRW9A3mG3d6mu7
     p5kk+O92KBZLX9Xf64cEpP4AEcWQuuaeOizIf4aXFjXB32JC+Dgo9XZS84p+whBJ
     Yz5S9udBDf9hQmBinJwJy0XR5PJLFSAf6TwocgTFDQt5/6GNKVKkHCTIjURtRztu
     j6x2sXQ6iItjUEqLkGpzFnmlogaLFgTmOJ+Zv2IgrvUyoAcEgC3TA9RveCXDQoPr
     P29qWFLHYQyJs8A4hCtCFyHW4IXu1pAFsKCrcEJoM/sI0Hr+K6mg6fV4iP4IUnsw
     0XgYuPzrpfeF9yECAwEAAaNCMEAwHQYDVR0OBBYEFCEHOnw0z/kWnJv1IffTbWLM
     B/AAMB8GA1UdIwQYMBaAFDKxAqjS6RbEUSYdj3I5TIctJc62MA0GCSqGSIb3DQEB
     CwUAA4IBAQBsfjFO/gqhuusdphkxtXxvZYXgUFRFZ8KeDoFd0nkM2JbefonpBGTS
     RHkOWZSn3tRhcJHTaRmnmoXyLxo3rflH73B8fkmCL51ON7ZbusGO94ph2uobI4mP
     DQGQsUo8TUP46DQrSxiwK1e6ENXqCJn2mo4MsuM6ooimdx+JmVd3NcFlV/Y0p7Nh
     pw46Le9JREQjIW6XnLOeHBzzg3FKOCyUgAboaAwRUC69Qpm3NhZQtBnvWOALHnXp
     zT+PaEpIrwNIhaB7EoqMFIOdPSP6xU9ToeXmasvFEKIVtdDwUtAfA6fWnc7ygpmB
     leKuK5z6Z4Um+vNyMwryedON6nEhewXH
     -----END CERTIFICATE-----

     Undefined

     Copy

   • Enable Single Logout: Leave unchecked.

   • Signed Requests: check

   • Authentication context class: Choose PasswordProtectedTransport.

   • Honor Force Authentication: Choose Yes.

   • SAML Issuer ID: Leave blank.

   • No need to configure the attribute and group attribute statements 
     

   • Preview the SAML Assertion: You can click to preview the SAML assertion.

    

6. Click Next.

7. This will take you to the Okta feedback page. Enter your feedback if desired and click Next.

2. Set up Okta in the MadKudu app

Now that you have set up MadKudu in Okta, you will need to set up Okta in MadKudu for the two applications to create a trusted relationship with each other to allow communication.

You will need to provide MadKudu the Okta's Identity Provider URL automatically generated in Okta following these instructions.

In Okta

1. In Okta Console, go to Applications.

2. Click on the MadKudu app you have just created.

3. Click the Sign On tab.

   • Click View Setup Instructions to review Okta setup instructions to configure SAML 2.0 for MadKudu.

   • Keep this page open, you'll need to copy the URLs and certificate and paste them in MadKudu App.
      

In MadKudu

1. Open a new page to go to MadKudu App (app.madkudu.com),

2. Go to Settings

3. Click on the Authentication tab

4. Select Okta in the Enforce SSO picklist

5. Paste in the form the

   • Identity Provider Single Sign-On URL

   • Identity Provider Issuer

   • X.509 Certificate

6. Click Save

Nice! Now MadKudu will be able to recognize your Okta account. 

Now you need to assign users to the MadKudu app both in Okta and in MadKudu. Please follow both steps here