Tutorial: How to Configure SAML with Okta
This is a step-by-step guide for configuring SAML on Access Server with Okta.
Overview
Access Server 2.11 and newer supports authentication using SAML with Okta as the identity provider. You can configure this in Okta with Access Server as your service provider.
The following steps walk you through enabling SAML authentication for users and groups from Okta to Access Server.
You need the following to get started:
An Okta account.
A deployed Access Server.
Important
We recommend using all lowercase usernames when signing in with SAML.
With Okta, you must create a custom SAML application.
Now that you have your SP information, you can create a new Okta SAML app and enter that information during app creation:
Sign in to your Okta admin dashboard.
From Applications, create a new app integration.
Select SAML 2.0 and click Next.
Provide an App name and App logo, choose the App visibility, then click Next.
Use the SP information from Access Server to enter the following into the Okta:
Single sign on URL: Enter the Access Server SP ACS.
Audience URI (SP Entity ID): Enter the Access Server SP Identity.
Default RelayState: Enter ‘cws’ for the Client Web UI or ‘profile’ to provide users with a downloadable profile. (See "How to set up IdP-initiated flow" below for more details.)
Click Next.
Option 1: Download the Okta metadata file for automatic configuration
With your new app, click View SAML setup instructions under the Sign On tab.
Under Optional, select the XML and copy it, then create an XML file with the copied metadata.
Option 2: Copy the Okta SAML data for manual configuration
With your new app, click View SAML setup instructions under the Sign On tab.
Copy the content in Identity Provider Single Sign-On URL, Identity Provider Issuer, and X.509 Certificate.
The simplest way to set up Okta SAML for Access Server is to provide the metadata XML file (option 1), but you can also manually configure it (option 2).
Option 1: Upload the Okta metadata file in the Admin Web UI
Provide the downloaded metadata XML file to your Access Server through the Admin Web UI to automatically configure SAML:
Sign in to your Access Server Admin Web UI.
Click Authentication > SAML.
Click Configure Identity Provider (IdP) Automatically via Metadata to expand the section.
Click Choose File for Select IdP Metadata File.
Select your Okta metadata XML file, click Upload, and click Update Running Server.
The IdP fields are now populated under Configure Identity Provider (IdP) Manually.
Option 2: Manually configure Okta SAML
Sign in to your Access Server Admin Web UI.
Click Authentication > SAML.
Click Configure Identity Provider (IdP) Manually to expand the section.
Paste the following from Okta to the Access Server fields:
Paste the Okta Identity Provider Single Sign-On URL into Access Server’s Sign On Endpoint.
Paste the Okta Identity Provider Issuer into Access Server’s IdP EntityId.
Paste the Okta X.509 Certificate into Access Server’s Certificate (PEM format).
The IdP fields save.
You must assign this app to users or groups in Okta:
Sign in to the Okta admin dashboard.
Select your SAML app and click the Assignments tab.
Assign the SAML app to users or groups, or you can assign it to everyone:
Click Assign > Assign to Groups.
Click Assign for Everyone and click Done.
All users in your organization should now have access to your Access Server SAML app.
You can configure an IdP-initiated flow for signing into Access Server from Okta with the following steps:
Sign in to the Okta admin dashboard.
Click Applications > Applications, and click your custom SAML app.
Click General and edit for SAML settings.
Under 2 Configure SAML, enter one of the following for Default RelayState:
cws: This directs your users to the Client Web UI after sign-in.
profile: This directs your users to a profile download after sign-in.
Save changes.
Your users can now sign in to Okta and find the Access Server SAML application under My Apps.