Configuration

Configuration of OKTA:

If you're integrating OKTA for user authentication, you can use the SAML method. Below are the URLs and settings you'll need to input in your OKTA configuration:

Single Sign-On URL: https://viafoundry.{hostname}/vsso/auth/saml/callback
Recipient URL: https://viafoundry.{hostname}/vsso/auth/saml/callback
Destination URL: https://viafoundry.{hostname}/vsso/auth/saml/callback
Audience Restriction: viafoundry-{ViaFoundryID}
Default Relay State: https://viafoundry.{hostname}/vsso/auth/saml
SAML Issuer ID: http://www.okta.com/${org.externalKey}

Make sure to replace {hostname} with your actual server's hostname. {ViaFoundryID} value will be sent by Via Scientific Team.

Sending User Attributes

In your OKTA setup, configure it to send the user's first name (firstName) and last name (lastName) when they log in. Here is the example:

Foundry Logo for OKTA dashboard

In your OKTA setup, you can use following image for app logo.

Metadata File

Download the metadata.xml file from OKTA and place it in the specified location SSO_SAML_METADATA.

Configuration File for OKTA

Finally, update your configuration file located at /export/vsso/config.env with the following parameters:

OKTA_SAML_LOGIN=true
SSO_ISSUER=viafoundry-{ViaFoundryID}
SSO_SAML_METADATA=/export/vsso/certs/metadata.xml
SSO_SAML_DESTINATION_URL=https://viafoundry.{hostname}

Here, replace {hostname} with your server's hostname and {viafoundryID} with the ID that is sent by Via Scientific Team.

Configuration of Microsoft Active Directory:

If you're integrating Microsoft Active Directory for user authentication, you can use the SAML method. Below are the URLs and settings you'll need to input in your Microsoft Active Directory configuration:

Indentifier(Entity ID): https://viafoundry.{hostname}/vsso/auth/saml/callback
Reply URL: https://viafoundry.{hostname}/vsso/auth/saml/callback
Sign On URL: https://viafoundry.{hostname}/vsso/auth/saml/callback
Relay State (Optional): https://viafoundry.{hostname}
Logout Url (Optional):

Make sure to replace {hostname} with your actual server's hostname.

Metadata File

Download the metadata.xml file from Microsoft Entra and place it in the specified location SSO_SAML_METADATA.

Configuration File for Microsoft Active Directory

Finally, update your configuration file located at /export/vsso/config.env with the following parameters:

OKTA_SAML_LOGIN=true
SSO_ISSUER=https://viafoundry.{hostname}/vsso/auth/saml/callback
SSO_SAML_METADATA=/export/vsso/certs/metadata.xml
SSO_SAML_DESTINATION_URL=https://viafoundry.{hostname}
SSO_SAML_WANT_AUTHN_RESPONSE_SIGNED=false

Apache Configuration for the Foundry Server:

To configure Apache, you need to enable the mod_ssl and mod_proxy modules. Please follow the instructions below:

1. Create certificate files (SSLCertificateFile and SSLCertificateKeyFile) in PEM format. SSLCertificateChainFile file is optional.

2. Save the following text into /etc/apache2/sites-enabled/viafoundry.conf file

   <IfModule mod_ssl.c>
       <VirtualHost *:443>
           ServerAdmin Your_Email
           ServerName Your_Domain.com
           ServerAlias Your_Domain.com
           RewriteEngine On
   
           # Some rewrite rules in this file were disabled on your HTTPS site,
           # because they have the potential to create redirection loops.
           SSLCertificateFile /etc/letsencrypt/live/Your_Domain.com/cert.pem
           SSLCertificateKeyFile /etc/letsencrypt/live/Your_Domain.com/privkey.pem
           SSLCertificateChainFile /etc/letsencrypt/live/Your_Domain.com/chain.pem
           SSLProxyEngine on
   
           <Proxy *>
               Allow from localhost
           </Proxy>
   
           ProxyPass /vtunnel http://localhost:6000/vtunnel
           ProxyPassReverse /vtunnel http://localhost:6000/vtunnel
           ProxyPass / http://localhost:8080/
           ProxyPassReverse / http://localhost:8080/
   
           ProxyRequests Off
   
           CustomLog /var/log/apache2/access_vf.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
       </VirtualHost>
   
   
       ErrorLog /var/log/apache2/error_vf.log
   </IfModule>
   

3. Enable mod_ssl: You need to make sure that the mod_ssl module is enabled in your Apache configuration. This module provides support for SSL/TLS encryption. Enable mod_proxy: You also need to enable the mod_proxy module in your Apache configuration. This module allows Apache to act as a proxy server.

   a2enmod ssl rewrite proxy requestheader headers proxy_http
   

4. Replace "Your_Domain.com", "Your_Email", ProxyPass and ProxyPassReverse: In the Apache configuration, you need to replace "Your_Domain.com" with your actual domain name.

5. Adjust SSL certificate locations: You need to specify the correct SSL certificate locations for the subdomain used by the apps.

6. Check the apache config syntax.

   apache2ctl configtest
   

7. Restart Apache 2 web server,

   /etc/init.d/apache2 restart
   or 
   sudo /etc/init.d/apache2 restart
   or 
   sudo service apache2 restart