Skip to content

Okta

Follow the steps documented below to integrate your Org and Okta Organizations for Single Sign On (SSO).

Important

Only users with "Organization Admin" privileges can configure SSO in the Web Console.


Step 1: Create IdP

  • Login into the Web Console as an Organization Admin.
  • Click on System and IdPs
  • Click on "New IdP"
  • Provide a name, select "Okta" from the drop down
  • Enter the "domain" for which you would like to enable SSO

  • Optionally, toggle "Encryption" if you wish to send/receive encrypted SAML assertions

  • Provide a name for the "Group" attribute
  • Click on Save & Continue

Create IdP

Important

Encrypting SAML assertions is optional because privacy is already provided at the transport layer using HTTPS. Encrypted assertions provide an additional layer of security on top ensuring that only the SP (Org) can decrypt the SAML assertion.


Step 2: View SP Details

The IdP configuration wizard will display critical information that you need to copy/paste into your Okta Org. Provide the following information to your Okta administrator.

  • Assertion Consumer Service (ACS) URL
  • SP Entity ID
  • Name ID Format

View SP Details


Step 3: Create App in Okta

  • Login into your Okta Org as an Administrator
  • Select Applications and Create a New App
  • Select "SAML 2.0" for Sign on method
  • Click on Create

Create App Integration


Step 4: General Settings

In step 1 of the application configuration wizard

  • Provide an App Name for the Web Console
  • Upload the Logo

General Settings


Step 5: Configure SAML

In step 2 of the application configuration wizard

  • Copy/Paste the ACS URL from Step 2 into the "Single sign on URL"
  • Copy/Paste the SP Entity ID from Step 2
  • Select "Email Address" in the Name ID format dropdown

Configure SAML

In the Group Attribute Statements section, - Provide the name for the "Group", select the "Matches regex" filter and ".*" for the value.

The "Group" configuration step is critical because it will ensure that Okta will send the groups the user belongs to as part of the SSO process. The controller uses the group information to transparently map users to the correct group/role.

Configure SAML

Complete the Feedback portion of the Okta app wizard.


Step 6: Specify IdP Metadata

Copy the "Identity Provider Metadata" URL from the App

IdP Metadata

  • Navigate back to the Web Console's IdP configuration wizard
  • Paste the Identity Provider Metadata URL from Okta
  • Complete IdP Registration

Create App Integration

  • Once this process is complete, you can view details about the IdP configuration on the Identity Provider page.
  • You can also edit and update the configuration if required.

Completed IdP


Step 7: Assign Users and Groups

Once your Org and Okta are integrated using the steps documented above, customers need to create and assign "Groups" in Okta to the application. Multiple Okta users can be added/removed from this group.

Assign Groups

An identical named group needs to be created on your Org. Ensure that this group is mapped to the appropriate Projects with the correct privileges.

Assign Groups

It is important to emphasize that because of SSO via Okta, user lifecycle management can be completely offloaded to the IdP. In the example below, note that there are no users managed in this group because they are all managed in the attached Okta Org.

Users in Group