Configure Okta as an Identity Provider

This article walks you through configuring Okta for use as an identity provider.

Configure Okta

Log in to your Okta account. If you don't already have one, you will need to create one.

On the general Okta dashboard, click Admin. This takes you to the Okta Admin Dashboard.

Okta Dashboard

Using the list of shortcuts at the right-hand side of the screen, click Add Applications.

Okta Admin Dashboard

On the Add Application page, select Create New App.

Create New Okta App

On the Create a New Application Integration pop-up window, select the Platform for your application, and choose SAML 2.0 as the Sign on method. Click Create to proceed.

Create New app Integration

You will now create your SAML integration. On the General Settings page, provide the following:

  • App name;
  • App logo (optional);
  • App visibility: select whether you want your users to see your application icon and in what settings.

SAML Integration General Settings

Click Next to proceed.

Next, you will see the SAML Settings page. Enter the following values into the appropriate fields:

  • Single sign on URL: https://YOUR_AUTH0_DOMAIN/login/callback
  • Audience URI (SP Entity ID): urn:auth0:YOUR_TENANT:YOUR_CONNECTION_NAME

SAML Integration Configure SAML

You will also need to add the following Attribute Statement:

  • Name: email
  • Name format (optional): Unspecified
  • Value: ${user.email}

At this point, you can click Preview the SAML Assertion to generate XML you can use to verify that your provided settings are correct.

Click Next to proceed.

Lastly, answer Are you a customer or partner? by selecting I'm an Okta customer adding an internal app. Click Finish.

SAML Integration Feedback

You'll be directed to the Sign On page for your newly-created app. Click on View Setup Instructions to complete the process.

Okta App Sign On

Take note of the Identity Provider Single Sign-On URL, and download a copy of the X.509 certificate.

Configuration Information

Configure Auth0

At this point, you will configure the integration from the Auth0 side.

Log in to your Auth0 account, and go to the Management Dashboard. Go to Connections -> Enterprise -> SAMLP Identity Provider and click the plus icon to launch the dialog window that allows you to create a new Connection.

List of Auth0 Connections

When prompted, click Create New Connection.

Create New Auth0 Connection

You will be prompted to provide the appropriate configuration settings for this Connection.

Configure New Auth0 Connection

The only mandatory fields are as follows:

  • Connection Name: a friendly name for your new Connection;
  • Sign In URL: the Identity Provider Single Sign-On URL you made note of when you set up your Okta app;
  • X509 Signing Certificate: the certificate you downloaded from Okta. You will need to upload the certificate directly to Auth0.

Configuration Values

Click Save to persist your changes and proceed.

In the next dialog window, you'll be provided two options. If you are a domain administrator, you can click Continue for additional instructions on SAML Identity Provider Configuration. If you are not, you can give your domain administrator the provided URL so that they can finish the configuration.

Auth0 Admin Instructions

Enable Access to the Connection

Now that you've created and configured your Connection, you'll need to enable access to the Connection for your Client(s).

Using the Management Dashboard, go to the Clients to see the list of Clients associated with your Auth0 account.

Auth0 Clients

To enable your Connection for a given Client, click Connections on its associated row.

Scroll down to the Enterprise section, and click the slider to enable your Okta Connection for the associated Client.

Enable Connection for a Client

Test your Connection

You can test your Okta-Auth0 integration using the Management Dashboard if you are an Okta user.

Go to Connections -> Enterprise -> SAMLP Identity Provider. On the row associated with Okta, click the play icon to Try your Connection.

Test Okta Connection

If your test was successful, you'll see the It works! screen. If not, you'll see an error message containing details on what the issue might be.

The Try button works for users logged in to Auth0 dashboard. You can't send this to an anonymous user, such as a customer. If you don't have a Okta user, you'll need to configure IdP Initiated SignOn so the someone else can try on their portal.

IdP Initiated SignOn

Okta provides an Application Portal/Launcher for their users. If you would like to support the Okta Application Portal/Launcher, change the Single sign on URL in the Okta dashboard to https://YOUR_AUTH0_DOMAIN/login/callback?connection=YOUR_CONNECTION_NAME

Be sure to change YOUR_CONNECTION_NAME to the name of your Auth0 Connection.

Lastly, you'll need to select the Client to which the Auth0 redirects after it validates the SAML Response.

Go to Connections -> Enterprise -> SAMLP Identity Provider. On the row associated with Okta, click Settings, and switch to the IdP-Initiated SSO screen.

Set the Default Client and indicate that the Response Protocol is SAML.

Enable IDP

Click Save.

Troubleshooting

The user might see the Okta dashboard after authenticating using a Service Provider-initiated login flow. If you integrated you application with Auth0 using the OpenID Connect protocol, Auth0 takes the value of the state parameter and passes it to Okta using the SAML "RelayState" parameter. As such, make sure that you set state to a value that Okta can use.

Next Steps

Now that you have a working connection, the next step is to configure your application to use it. You can follow our step-by-step quickstarts or use directly our libraries and API.