Configuring SSO Integration with Okta

Follow the steps below one by one to integrate Parallels My Account with Okta.

(1) Configure Organization’s Domains

A domain is a part of the email addresses (after the @ symbol) used by the end users in your organization. When end users try to log in to Parallels My Account using SSO, they are prompted to enter their work email address. Parallels My Account checks the domain part of the email address and recognizes that the user belongs to your organization. Click on the title of Step 1 to expand it and read the instructions carefully.

• Add one or more domains your organization uses.

• Each domain must be unique and can only be registered to one business account that your organization has registered with Parallels.

• Make sure to add only the domains your organization can control.

The Parallels My Account service verifies the domain ownership by checking a specific TXT record that must be added to the DNS host of the corresponding domain. Make sure that all domains added to the list are verified before proceeding with the next steps.

Depending on the software and/or provider, a TXT record may take up to 72 hours to propagate. You can check whether it's been configured using the following command:

$ dig TXT {yourdomain}.{com}

(2) Register Parallels Enterprise App and Configure SAML Settings

Registering the Parallels enterprise application (required for integrating with the Parallels My Account service) in the IdP Directory allows you to configure the SSO-related parameters and correctly provision the integration between your IdP and the Parallels My Account service. The description below illustrates the registration procedure for Okta. It is assumed that you have the permissions required to register and configure enterprise applications with Okta. If your organization uses a different IdP service, follow the instructions provided in the admin guide specific to your IdP of choice. To register a Parallels enterprise application with Okta:

1. Log into the Okta management portal using an account that has privileges for registering and configuring enterprise applications for your organization.

2. On the portal’s landing page, expand the Applications section and choose the Applications item from the left-hand side panel to open the page with the list of enterprise applications registered for your organization.

3. Click the Create App Integration button, which is located above the list of registered applications. It opens the popup dialog titled Create a new app integration.

4. In the Create a new app integration dialog, choose SAML 2.0 as your sign-in method, then click Next.

5. On the next page, type the name of the application (the actual name remains at your discretion) in the App name field, then select the Do not display application icon to users option. Click Next to proceed with configuring the SAML settings for the application. SAML 2.0 integration between Parallels My Account and your organization’s IdP allows your users to activate their copies of Parallels Desktop for Mac Enterprise Edition using Sing Sign-On (SSO) and your system administrators to use it to log into your organization’s Parallels business account. To complete this step, you must copy certain parameters from Parallels My Account and save them in the settings of the Parallels enterprise application registered with Okta, then copy some data provided by Okta and save it in Parallels My Account.
6. Switch to the of Parallels My Account. Expand the Step 4 section on the integration configurator page. Note that there are two sets of parameters in the section. The first set has two values, Service Provider Entity ID and Assertion Consumer Service URL, that must be copied from Parallels My Account to Okta. The second set includes three parameters—Identity Provider Entity ID, Identity Provider SSO URL, and Public Certificate. The values for these parameters must be copied from Okta to Parallels My Account.

7. On Okta’s Create SAML Integration page (this page should have opened after completion of Step 5, as described above), insert the values into the Single sign-on URL and Audience URI (SP Entity ID) fields, as specified below:

   1. The Assertion Consumer Service URL value from Parallels My Account (in the Step 4 section of the integration configurator) must be copied to the Single sign-on URL input field in Okta.

   2. The Service Provider Entity ID value from Parallels My Account (in the section of Step 4 of the integration configurator) must be copied to the Audience URI (SP Entity ID) input field in Okta.

8. Keep the Use this for Recipient URL and Destination URL option enabled (it is enabled by default). Leave the parameters in the General section set to the defaults.

9. Scroll the page down to the section Attribute Statements (optional). Add the following attributes to the list (keep the text values and punctuation marks exactly as specified):

   1. objectidentifier (Name format: Unspecified) > user.id

   2. name (Name format: Unspecified) > user.login

   3. displayName (Name format: Unspecified) > user.displayName

10. Scroll down the page to the section Group Attribute Statements (optional). Add the following attribute to the list (use the name of the value and punctuation mark exactly as specified):

    1. groups (Name format: Unspecified) > (Filter: Matches regex), set the value to .*Parallels.*

    ATTENTION: Make sure to set this value to .*Parallels.* (that is a full stop, followed by an asterisk, followed by the word Parallels, followed by a full stop, followed by an asterisk).
11. Scroll to the bottom of the page and click Next. It opens the section Help Okta Support understand how you configured this application. Choose the option I’m an Okta customer adding an internal app, and then, once the additional section App type opens, choose the option This is an internal app that we have created.

12. Finally, click Finish, and once the registration process finishes, you will end up on the application’s home page.

13. Switch back to the at Parallels My Account, expand the Step 2 section (“Register Parallels enterprise app”), and select the option Configuration in the IdP Directory is done.

Once the registration of the Parallels enterprise application with Okta is completed, you must transfer three parameters from Okta to Parallels My Account. To do so, follow these steps:

1. Switch back to the Okta management portal. When on the enterprise application’s home page in Okta, ensure the currently selected tab is Sign On. Locate the View SAML Setup Instructions button on the right side of the page. Clicking the link opens the page How to Configure SAML 2.0 for %1 Application, where %1 is the name of the enterprise application registered previously. The page contains the three parameters that must be transferred to Parallels My Account. The same three parameters can also be found in the Metadata Details section of the SAML 2.0 card under More details.

2. 1. The value Identity Provider Issuer from Okta must be copied to the input field Identity Provider Entity ID.

   2. The value Identity Provider Single Sign-On URL from Okta must be copied to the input field Identity Provider SSO URL.

   3. The content of the X.509 Certificate from Okta must be copied to the input field Public Certificate.

   Instead of copying and pasting these values manually, you can download the metadata in the Okta interface and then upload the resulting XML file using the Upload a metadata file link in the Parallels My Account interface.

   1. In the SAML 2.0 card section, locate Metadata URL under the Metadata Details section.
   2. Copy and paste the Metadata URL into a new browser tab or window.

   3. Use Ctrl/Cmd+S to save the metadata as an XML file.

   4. Switch to Parallels My Account interface, open the Step 4 Identity Provider Settings, click Upload a metadata file, and choose the newly created XML file.

(3) Configure User Groups Mapping

You must create user groups associated with the Parallels enterprise application in your IdP Directory. Later, you will add users to those groups to let Parallels My Account know which users should be able to activate their copies of Parallels Desktop for Mac Enterprise Edition using SSO and which ones should have business account admin privileges in the Parallels ecosystem. At least one user group is required for adding users with admin access to your organization’s business account registered with Parallels. Once the group is created, you should add the group's names in Step 3 of the integration configurator page in Parallels My Account.

Start with creating the group in the IdP Directory. To create a user group for the Parallels enterprise application in Okta:

1. Log into the Okta management portal using the account with privileges for managing user groups and configuring enterprise applications.

2. On the portal's landing page, expand the section Directory and choose the item Groups on the left-hand side panel to open the page with the list of the groups registered for your organization. Note: You must repeat steps 3 and 4 as described below three times: first, to create the group for Parallels Administrators, then Parallels Desktop for Mac users, and finally, to create the transit group that is supposed to be assigned to the Parallels enterprise application registered with Okta. It is required to push users from the other groups to the Parallels application.

3. Click the Add Group button placed above the list of groups, which opens the Add group popup dialog.

4. Type in the name and the group description, and click Save.

5. Make sure you have repeated steps 3 and 4 three times and created three separate groups as specified above.

Write down the name of the group created for the Parallels Business Account Admins. You must transfer these values to Parallels My Account later.

Next, assign the Parallels enterprise application registered with Okta to the transit group that you have created before. Make sure you are on the page with the list of the groups at the Okta management portal. To assign the application to the transit group, follow the instructions below:

1. Find the transit group in the list of groups.

2. Click on the group’s item in the list to open the page with the details of the group.

3. Click the Applications tab at the top to open the list of the applications assigned to the group. Since the group is new, the list is supposed to be empty.

4. Click the Assign Applications button to launch the popup dialog titled Assign Applications to %1, where %1 is the name of the transit group.

5. Locate the Parallels enterprise application that has been registered with Okta before and click Assign.

6. Click Done to save the assignment. You will now see the Parallels enterprise application on the list of the assigned applications of the transit group.

After that, you must create a rule to push members from the groups created for the Parallels Administrators to the Parallels enterprise application through the transit group. Make sure you are on the Okta admin portal’s page with the list of the groups. To create the rule, follow these steps:

1. When on the page with the list of the groups, click Rules at the top of the list to open the list of the rules created for the groups.

2. Click Add Rule to create a new rule. It opens the popup dialog titled Add Rule.

3. Type the name of the rule (use whatever name you find suitable).

4. Choose the Use basic condition option, then select Group membership from the list below.

5. In the input field below, type the name of the group that has been created for the Parallels Administrators.

6. In the THEN Assign to input field, type in the name of the transit group.

7. Click Save to save the rule. Now you will see the new rule in the list of rules.

Once the rule has been created, activate it by clicking on the Actions drop-down menu on the right and then Activate.

Before proceeding, make sure that the following conditions have been met:

• At least one group has been created for the Parallels Business Account Admins.

• You have written down the unique names of the groups you have created for the Parallels users and admins.

• An additional transit group has been created, and the Parallels enterprise application has been registered with Okta and assigned to that group.

• A rule has been created that enables you to push members of both the admin and user groups to the Parallels enterprise application through the transit group.

Click on Click to edit on the respective group and insert the Parallels Admins group name you have written down earlier into both corresponding fields (“UUID” and “Display Name”), then do the same for the Parallels Desktop Users group section. Click Save to save the changes.

(4) Configure SAML Integration

If everything is set, proceed to the next step.

(5) Configure SCIM Integration

SCIM 2.0 integration between Parallels My Account and your Organization’s IdP allows you to keep user identity information in Parallels My Account in constant sync with the updates made to user identities in the IdP Directory. Okta supports the SCIM 2.0 protocol, which is used for this purpose.

To configure provisioning via SCIM, you must first enable the provisioning for the Parallels enterprise application registered with Okta. After that, you must copy two parameters, SCIM Base URL and Bearer Token, from Parallels My Account (the section of Step 5 of the integration configurator) to Okta. Finally, you must configure the push of the user groups from Okta to Parallels through SCIM.

The description below illustrates the procedure for Okta. It is assumed that you have appropriate permissions to configure enterprise applications in Okta. To configure the provisioning settings for the Parallels enterprise application registered with Okta:

1. Log into the Okta management portal using the account with privileges for configuring enterprise applications.

2. When on the portal's landing page, choose Applications > Applications in the left-hand side panel to open the list of enterprise applications registered for your organization.

4. Click on the General tab to switch to the tab that displays the app’s general settings. There, click Edit in the upper right corner of the tab to switch to the edit mode.

5. Select the option Enable SCIM Provisioning and click Save.

6. A new tab called Provisioning will appear at the top of the page. Click on it to open the tab where you can configure the SCIM settings for the application.

7. While on the Provisioning tab, click Edit in the upper right corner to switch to the edit mode.

9. Copy the values from the Step 5 section Parallels My Account to Okta, as specified below:

   1. SCIM connector base URL (Okta): insert the value of the parameter SCIM Base URL copied from Parallels My Account.

   2. Bearer (Okta): insert the value of the parameter Bearer Token copied from Parallels My Account. The Bearer field in Okta is not displayed by default. To make it visible, switch Authentication Mode to HTTP Header.

10. Enable the options Push New Users, Push Profile Updates, and Push Groups on the same page in Okta.

11. Insert the text userName (use the text exactly as it is provided here: userName) into the input field Unique identifier field for users.

12. Click Save to save the changes. Okta’s interface will revert to the Provisioning tab of the Parallels enterprise application.

13. Make sure the section To App is selected on the left. Click Edit to switch to edit mode. Enable the following options: Create Users, Update User Attributes, Deactivate Users. Click Save to save the changes.

14. Click the Push Groups tab at the top to open the tab with the list of the groups from which the users are supposed to be pushed to the Parallels ecosystem. The list is supposed to be empty.

Continue to the next step.

(6) Add Users to the Application Groups

To do so, switch to Okta and follow the standard procedure for adding users to groups. Please note that no user will be able to activate their Parallels product unless they have been added to the User group.

(7) Configure Backup Login