Okta SSO Configuration Guide

SAML Configuration for Okta

Security Assertion Markup Language (SAML) is a standard for exchanging authentication and authorization data between parties. This guide will help you configure SAML SSO between your application and Okta.

📥 Download Service Provider Metadata
Click the "Metadata" button in the SSO configuration modal to download your application's SAML metadata file. This file contains all the necessary configuration details for Okta.

Step 1: Access Okta Admin Console

1 Sign in to Okta Admin Console

Navigate to your Okta Admin Console at admin.okta.com and sign in with your administrator account.

2 Navigate to Applications

In the Admin Console, go to Applications → Applications from the main menu.

Step 2: Create New Application

3 Add Application

Click "Create App Integration" to start creating a new application integration.

4 Choose Integration Type

Select "SAML 2.0" as the sign-in method and click "Next".

5 Configure Application

Enter the following details:

App name: Your Application Name
App logo: Upload your application logo (optional)

Step 3: Configure SAML Settings

6 Configure SAML Settings

In the SAML Settings section, configure the following:

General Settings

                Single sign on URL: https://yourdomain.com/saml/acs

                Audience URI (SP Entity ID): https://yourdomain.com/saml/metadata

                Name ID format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

                Application username: Okta username

7 Configure Attribute Statements

Add the following attribute statements:

                Name: email

                Name format: urn:oasis:names:tc:SAML:2.0:attrname-format:basic

                Value: user.email

                Name: firstName

                Name format: urn:oasis:names:tc:SAML:2.0:attrname-format:basic

                Value: user.firstName

                Name: lastName

                Name format: urn:oasis:names:tc:SAML:2.0:attrname-format:basic

                Value: user.lastName

                Name: displayName

                Name format: urn:oasis:names:tc:SAML:2.0:attrname-format:basic

                Value: user.displayName

8 Configure Group Attribute Statements (Optional)

If you want to include group information, add:

                Name: groups

                Name format: urn:oasis:names:tc:SAML:2.0:attrname-format:basic

                Value: user.groups

Step 4: Configure Advanced Settings

9 Advanced Settings

In the Advanced Settings section, configure:

Response: Signed
Assertion: Signed
Signature algorithm: RSA_SHA256
Digest algorithm: SHA256
Assertion encryption: Unencrypted (or Encrypted if required)

Step 5: Download Okta Metadata

10 Download Identity Provider Metadata

After saving the configuration, go to the "Sign On" tab and click "View Setup Instructions". Download the Identity Provider metadata file.

11 Note Configuration Values

From the setup instructions, note the following values:

Identity Provider Single Sign-On URL: https://your-org.okta.com/app/your-app-id/sso/saml
Identity Provider Issuer: http://www.okta.com/your-org-id
X.509 Certificate: The certificate from the metadata file

Step 6: Configure Your Application

12 Enter Okta Configuration

In your application's SSO configuration, enter the following details:

Identity Provider Settings

                Entity ID: http://www.okta.com/your-org-id

                Single Sign-On URL: https://your-org.okta.com/app/your-app-id/sso/saml

                Single Logout URL: https://your-org.okta.com/app/your-app-id/slo/saml

                X.509 Certificate: [Paste the certificate from the metadata file]

Step 7: Assign Users

13 Assign Users to Application

Go to the "Assignments" tab and assign users or groups to your application.

Step 8: Test Configuration

14 Test SAML SSO

Use the "Test this integration" feature in Okta to test the SAML configuration.

Okta-Specific Features:

Just-in-Time Provisioning: Automatically create users in your application
Group Sync: Synchronize Okta groups with your application
Multi-Factor Authentication: Leverage Okta's MFA capabilities
Lifecycle Management: Automatically deprovision users when removed from Okta

Important: Make sure to test the configuration with a non-admin account first to ensure proper user provisioning and attribute mapping.

OAuth2 Configuration for Okta

OAuth2 is an authorization framework that enables applications to obtain limited access to user accounts. Okta supports OAuth2 and OpenID Connect protocols for modern application integration.

Step 1: Create OAuth2 Application

1 Access Okta Admin Console

2 Create App Integration

Go to Applications → Applications → "Create App Integration"

3 Choose OIDC - OpenID Connect

Select "OIDC - OpenID Connect" as the sign-in method and click "Next".

4 Configure Application Type

Select "Web Application" and click "Next".

Step 2: Configure Application Settings

5 Basic Information

Enter the following details:

App name: Your Application Name
App logo: Upload your application logo (optional)
Grant type: Authorization Code

6 Configure Sign-in Redirect URIs

Add your application's callback URL:

https://yourdomain.com/oauth/callback

7 Configure Sign-out Redirect URIs

Add your application's logout redirect URL:

https://yourdomain.com/logout

Step 3: Configure Trust Settings

8 Trust Settings

In the Trust Settings section, configure:

Client authentication: Client secret
Client secret: Generate a new client secret
Authorization server: Default (or your custom authorization server)

Step 4: Configure Scopes

9 Add Scopes

In the Scopes section, add the following scopes:

openid: Required for OpenID Connect
profile: Access to user profile information
email: Access to user email address
groups: Access to user group memberships (if needed)

Step 5: Note Configuration Values

10 Get Application Details

After saving, note the following values from the application settings:

Client ID: Your OAuth2 client identifier
Client Secret: The secret you generated
Authorization Server: Usually https://your-org.okta.com/oauth2/default

Step 6: Configure Your Application

11 Enter OAuth2 Configuration

In your application's SSO configuration, enter the following details:

OAuth2 Settings

                Client ID: {your-client-id}

                Client Secret: {your-client-secret}

                Authorization Endpoint: https://your-org.okta.com/oauth2/default/v1/authorize

                Token Endpoint: https://your-org.okta.com/oauth2/default/v1/token

                User Info Endpoint: https://your-org.okta.com/oauth2/default/v1/userinfo

                Redirect URI: https://yourdomain.com/oauth/callback

                Scope: openid profile email groups

Step 7: Assign Users

12 Assign Users to Application

Go to the "Assignments" tab and assign users or groups to your application.

Step 8: Test Configuration

13 Test OAuth2 Flow

Test the OAuth2 configuration by attempting to sign in with an Okta account.

OAuth2 Benefits with Okta:

Modern, secure authorization protocol
Better user experience with automatic token refresh
Granular permission control through scopes
Support for mobile and web applications
Integration with Okta's advanced security features

Troubleshooting

Common SAML Issues

Common OAuth2 Issues

Okta-Specific Issues

Support

If you encounter any issues during configuration, please contact our support team with the following information: