Get up and running Zentral on Google Cloud Platform — Chapter 4

Welcome the fourth episode to get up and running Zentral-all-in-one on Google Cloud Platform. In this chapter we are enabling a SSO setup by using Okta as our SAML provider. A similar setup will also work with Google G Suite, many other SAML 2.0 providers should work to SSO into your Zentral server as well.

Note: We have only tested GSuite and Okta here. Let us know of other SAML providers you’ve used.

Preparation

Log into Okta and create a new custom App. You must select SAML 2.0 protocol here.

Note: We use a Developer version of Okta (so your UI may look a bit different, but steps remain to be the same.

Next there’s two parameters we need to setup in Okta, of course the FQDN used must match your own.

• Single sign on URL (the ACS link to fill in here)
• Audience URI (the Metadata link to fill in here)
• other settings are optional so we ignore them in our example and stick with the defaults already set

ACS: https://zentral.apfelwerk.net/saml2/acs/ 
Metadata: https://zentral.apfelwerk.net/saml2/metadata/

Zentral edits

2020 — see the updated tutorial: https://youtu.be/04sIlLgryv0

Setup Realms for SAML 2.0 in web interface

Now we proceed our basic setup steps in Okta, and next need to instruct Zentral server to use the data as login option. For this we must copy the IDP Metadata we’ve see in Okta to create a Metadata file be present on the Zentral server.

For this we open Terminal or ssh into the Zentral instance, create a new file, and insert the IDP Metadata info (see screenshots):

sudo vim /home/zentral/conf/OKTA_IDP_METADATA.xml

We insert all IDP Metadata here, and save the file as .xml.

Next to make Zentral aware of the IDP Metadata we need to add an entry to the zentral systemd service file:

sudo vim /etc/systemd/system/zentral_web_app.service

We add in two extra ENV variables inside the zentral_web_app.service file (see the screenshots):

• Environment=ZENTRAL_SAML2_IDP_NAME
• Environment=ZENTRAL_SAML2_IDP_METADATA_FILE

The Environment=ZENTRAL_SAML2_IDP_NAME variable provide the name to be reference in Zentral login window. In our example here simply use “Okta”

The Environment=ZENTRAL_SAML2_IDP_METADATA_FILE is the full path reference to the IDP Metadata.xml we’ve previously created.

Now we save the file and must reload the systemctl deamons:

sudo systemctl daemon-reload

We also need to restart the service “zentral_web_app”, as a result we see a new button in the Zentral login window.

sudo systemctl restart zentral_web_app

Enable users/groups

Last action required for this SSO setup remains in the Okta > People section. Here we need to assign / enable a user or group of users for accessing the App with SSO.

Finally when at the Zentral login window we can click the “Sign in with Okta” button. We should see a transfer to the regular Okta user login process and should log-in successfully with aOkta user account into Zentral.
From now on we can enjoy simple this SSO for daily use.

Wrap up

We’ve reached the end of this chapter. We have a production reday SSO setup for Zentral. Based on GCP in a free tier, we now can lean towards the client facing features in Zentral. You could review our initial resources posting, and stay tuned for future tutorials.