dotCMS SAML + Okta documentation for the dotCMS Content Management System

Below is an example of how to configure dotCMS to autheticate and authorize dotCMS users with Okta using SAML. It requires a number of custom attributes to be set in order to successfully connect, authenticate and also sync roles from Okta to dotCMS.

Example Custom Attributes Required for dotCMS and Okta SAML

Below are a list of custom attributes from a working OKTA installation. The value containing “ClientDomain” should obviously be replaced with correct values for the Okta endpoint and the dotCMS server location. If you are cutting and pasting, please make sure not to include leading or trailing spaces in the values.

KeyValue
attribute.email.nameemail
attribute.firstname.namefirstName
attribute.lastname.namelastName
logout.okta.urlhttps://clientDomain.okta.com/login/signout
logout.protocol.bindingHttp-Okta
logout.service.endpoint.urlhttps://clientDomain.com/dotAdmin/show-logout
nameidpolicy.formaturn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
protocol.bindingurn:oasis:names:tc:SAML:2.0:bindings:HTTP-REDIRECT
remove.roles.prefixiam_dotcms_
renew.sessionfalse
verify.signature.credentialsfalse
Configuring dotCMS with Okta / SAML

Example IDP Metadata file

A redacted example metadata file for Okta

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://www.okta.com/clientIdNumber">
<md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://clientDomain.okta.com/app/clientDomain_appId_1/clientIdNumber/slo/saml"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://clientDomain.okta.com/app/clientDomain_appId_1/clientIdNumber/slo/saml"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://clientDomain.okta.com/app/clientDomain_appId_1/clientIdNumber/sso/saml"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://clientDomain.okta.com/app/clientDomain_appId_1/clientIdNumber/sso/saml"/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>