Hi Dojo,
When trying to setup external authentication using Okta on a production DMS, we ran into the following issue. When trying to login to the dataminer web UI, the following error is thrown.
Any idea where this is coming from or how to overcome?
Note that for the configuration, the steps as documented in the documentation section on Okta have been carefully followed.
Initially an issue occurred with Cube as well ("request invalid") but after removing AutomaticUserCreation from the dataminer.xml file, connecting with Cube using external Okta authentication was successful. But still the issue with the not allowed http verb remains when trying to login to the web pages.
It was double checked that the Single Sign On and Recipient, Destination and Audience Restriction URLs were correctly configured on Okta and the EntityID in the okta-sp-metadata.xml matches the one from okta-ip-metadata.xml. And since Cube connection seems to work, it looks like the basic configuration is correct.
Any feedback is welcome to further troubleshoot this!
Thanks a lot.
Hi Koen,
I would start with checking again that the Assertion Consumer URLs in SPMetadata.xml and those configured on Okta match. A while ago a change was made that bundles the reply URLs so only /API/ needs to be present.
Secondly, Okta is only supported with the Automatic User creation. Are you sure you left the password box empty when logging in to cube? Only in this case is the SAML flow triggered.
A good way to trouble shoot SAML issues is to use Client Test Tool, when connecting you can check the box "Debug SAML", select "explicit credentials" and leave the password box empty again (username can be anything as long as it's not empty or "Administrator". 
This should show a SAML Request and Response in separate windows. In the response you can check that the URL it is replying to is the correct one. (Look for a "Subject" tag, in "SubjectConfirmationData" you should see a "Recipient" attribute that has a URL to which the response is replying to
A list of common issues and fixes is listed here: https://docs.dataminer.services/user-guide/Advanced_Functionality/Security/Advanced_security_configuration/Configuring_SAML/Troubleshooting_SAML_Issues.html
Hi Koen, yes this is possible, with my answer I meant that there is no option to import users from Okta
Authenticating local users through SAML is still possible
hi Michiel,
Thanks for the suggestions. We’ll look into it.
I do want to comment on your note about okta only being supported with Automatic User Creation. On the docs page about “SAML Using Okta” there is a Note that mentions an alternative.
Extract from the docs page:
“you can add local users or domain users in DataMiner, and then you can have Okta authenticate these users by following the guide below, except that you omit the AutomaticUserCreation tag in DataMiner.xml”
I believe that is what was done. Is this a supported configuration?