Configure Okta as SAML Identity Provider

Configure Okta as SAML Identity Provider

Configure Okta as a SAML identity provider by completing the following steps:

  1. Configure Okta SAML integration

  2. Configure SAML connection in Auth0.

  3. Enable access to the connection.

  4. Test connection.

Prerequisite

You must have an Okta Developer account.

Configure Okta SAML integration

  1. Sign in to the Okta Developer Console.

  2. Use the App Integration Wizard to add an application for use with Auth0.

  3. Use the SAML App Wizard to create your SAML integration. When done, you'll be directed to the Sign On page for your newly-created app.

  4. Click View Setup Instructions to complete the process.

  5. Note the Identity Provider Single Sign-On URL, and download a copy of the X.509 certificate.

Configure SAML connection in Auth0

  1. Go to Auth0 Dashboard > Authorization > Enterprise > SAML and click the plus icon to go to the page that allows you to create a new connection.

  2. Provide the appropriate configuration settings for this connection. The only mandatory fields are as follows:

    Setting Description
    Connection Name Connection name
    Sign In URL The Identity Provider Single Sign-On URL you noted from the Okta setup wizard
    X509 Signing Certificate Upload the certificate you downloaded from Okta.

  3. Click Save. In the next window, you'll be provided two options:

    1. If you are a domain administrator, click Continue for additional instructions on SAML identity provider configuration.

    2. If you are not, you can give your domain administrator the provided URL so that they can finish the configuration.

Enable and test connection access

  1. Go to Auth0 Dashboard > Applications > Applications to see the list of applications associated with your Auth0 account.

  2. Click Connections on its associated row.

  3. Scroll to the Enterprise section, and enable the Okta connection for the associated application.

  4. Go to Auth0 Dashboard > Authorization > Enterprise > SAML.

  5. On the row associated with Okta, click Try to test the connection. If your test was successful, you'll see the It works! screen. If not, you'll see an error message containing details on what the issue might be.

The Try button works for users logged in to Auth0 dashboard. You can't send this to an anonymous user, such as a customer. If you don't have a Okta user, you'll need to configure IdP-initiated SSO so someone else can try on their portal.

The user might see the Okta dashboard after authenticating using a Service Provider-initiated login flow. If you integrated you application with Auth0 using the OIDC protocol, Auth0 takes the value of the state parameter and passes it to Okta using the SAML RelayState parameter. Make sure that you set state to a value that Okta can use.

IdP-initiated SSO

Okta provides an Application Portal/Launcher for their users.

  1. If you would like to support the Okta Application Portal/Launcher, change the Single Sign-on URL in the Okta dashboard to https://YOUR_DOMAIN/login/callback?connection=YOUR_CONNECTION_NAME

  2. Change YOUR_CONNECTION_NAME to the name of your Auth0 Connection.

See IdP-Initiated SSO for information on configuring your Auth0 Connection to route the incoming SAML Response.