• Overview
• How It Works
• Prerequisites
• Steps
  • 1. Create a SaaS application in Banyan
  • 2. Create a Shadow Application for IDP Initiated SSO
  • 3. Setup Application’s SP-Initiated Authentication with Banyan

Overview

This guide details the steps required to use Banyan’s SAML Proxy to secure a single Okta SaaS application. These steps cover securing IDP initiated as well as SP initiated flows for an application.

How It Works

Prerequisites

Before proceeding through the Steps sections below, please ensure you have:

• Configure Okta for Banyan Service Access to create a directory of users for accessing Banyan services
• Configure Okta for Banyan Device Registration to enable device registration with Okta

Steps

1. Create a SaaS application in Banyan

1.1 In the Command Center, navigate from Manage Services > SaaS Applications, then select + Publish SaaS Application.

1.2 Select IDP Routed.

1.3 In the IDP Routed Service Name field, enter your service name (e.g., the name of your app).

1.4 Under Authentication Federation, select SAML as your authentication protocol.

1.5 Enter any placeholder text Redirect URL and Audience URI (e.g., https://dummy.url).

1.6 Attach a Policy of your choice (e.g., High Security).

1.7 Select Register and then Continue. Take note of the SaaSApp Service ID as you will need that in a later step.

2. Create a Shadow Application for IDP Initiated SSO

The shadow application will show up in the Okta catalog and ensure that a Banyan device trust check is complete regardless of an existing Okta session. For these steps, we will use Dropbox as the example SaaS application.

2.1 In Okta, navigate from Applications > Applications.

2.2 Select Create App Integration and choose SAML 2.0.

2.3 In General Settings, name your app (e.g., Dropbox) and upload the relevant app logo.

2.4 In the Configure SAML section, set the following configurations:

• Single sign on URL : https://{ORGNAME}.trust.banyanops.com/v2/saml/proxy
• Audience URI : https://{ORGNAME}.trust.banyanops.com/v2/saml/proxy

2.5 Set the following Attribute Statements:

• Email: user.email
• Username: user.login
• redirectUrl: Fetch SSO URL from your main SaaS app (e.g., Dropbox).
• serviceid: Copy Saas App Service ID from your newly published SaaS app’s service spec in Banyan, and paste in adjacent field.

2.6 In Group Attributes Statements, enter ‘Groups’ under Name, and select Matches regex as the Filter. Then add ‘ .* ‘ in the field adjacent to the Filter.

2.7 Select Next -> I’m an Okta customer adding an internal app -> Finish

3. Setup Application’s SP-Initiated Authentication with Banyan

This step is to ensure SP-initiated flows get routed to Banyan post authentication with Okta.

3.1 Obtain the Single Sign-On URL from the Shadow App

3.2 Replace the Identity Provider Single Sign-in URL from the original SaaS App with the SSO URL from the Shadow App

---

Can’t find what you’re looking for?

We’re happy to help. Contact our team.