Add a SAML Identity Provider (2024)

Adding a SAML Identity Provider (IdP) is the first step in the process of configuring inbound SAML.

Start this task

  1. In the Admin Console, go to SecurityIdentity Providers.

  2. Click Add identity provider, and then select SAML 2.0 IdP.
  3. Click Next.
  4. Configure the General Settings. If a View Setup Instructions link appears, click it first. Some providers have their own detailed instructions.
    NameEnter a name for this IdP.
  5. Configure Authentication Settings.
    IdP Usage

    Select an option:

    • SSO only: Use this IdP only for single sign-on.
    • Factor only: Use this IdP only for multifactor authentication.
    Account matching with Persistent Name IDSelect Use Persistent Name ID (Higher Security) to determine the associated user account by matching the Name ID with the External ID. If no match is found, Okta uses the IdP username value for account matching.
  6. Configure Account matching with IdP Username.
    IdP usernameSelect the entity in the SAML assertion that contains the username.

    You can enter an expression to reformat the value. For example, if the username in the SAML assertion is john.doe@mycompany.okta.com, you could specify the replacement of mycompany.okta with endpointA.mycompany. This makes the transformed username john.doe@endpointA.mycompany.com.

    To enter an expression, use the Okta Expression Language syntax.

    FilterSelect Only allow usernames that match defined RegEx Pattern only if you want to enter an expression as a username filter. Specifying a filter limits the selection of usernames before authentication.
    Match againstSelect the field in Okta against that the transformed username is authenticated against.
    Account Link Policy

    Specify whether Okta automatically links the user's IdP account with a matching Okta account.

    • Disabled: Disable account linking.
    • Automatic: Account linking occurs automatically.

    For enhanced security, disable account linking if possible. If you need account linking, follow Security best practices.

    Auto-Link RestrictionsWhen automatic account linking is enabled, indicate whether you want to restrict linking to specific user groups.
    If no match is found

    Specify whether to create a user account with Just In Time (JIT) provisioning or to redirect the user to the Okta sign-in page.

    • Create new user (JIT): Create user accounts with JIT. If you select this option, you must also go to SettingsCustomizationJust In Time Provisioning and click Enable Just In Time Provisioning.
    • Redirect to Okta sign-in page: Redirect the user to the Okta sign-in page to create their account.
  7. Configure JIT Settings.

    Profile Source

    Select Update attributes for existing users to update user accounts with the information in this SAML assertion. Profile information isn't pushed if you don't select this checkbox.

    Group Assignments Select an option to specify the groups you want to add the users in the SAML assertion to:
    • None: Don't assign the authenticated users to any groups. No other information is required.
    • Assign to specific groups: Assign users to groups. The Specific Groups field appears. Enter the name of the group that you want to add users to. Okta displays group names that match your text. Select the group that you want to add. Repeat these steps to add more groups.
    • Add user to missing groups: Add users to any groups in the SAML assertion that they don't already belong to. Users aren't removed from any groups they already belong to. The SAML Attribute Name field appears. Enter the name of the SAML attribute whose values represent group memberships. The values appear in the attribute statements from the SAML assertion. Those values are compared to those in the Group Filter field. Matching values determine which groups the user is assigned to during JIT. The Group Filter field acts as a security allowlist. Enter the name of the group that you want to add users to. Okta displays group names that match your text. Select the group that you want to add. Repeat these steps to add more groups.
    • Full sync of groups: Assign users to the group represented by the attribute specified in the SAML Attribute Name field. Ensure that this group appears in the Group Filter field.

    If the user is a member of any group that doesn't match the values in the SAML Attribute Name field, the user is deleted from the group.

  8. Configure SAML Protocol Settings.

    IdP Issuer URI Enter the issuer URI from the IdP.
    IdP Single Sign-On URL Enter the sign-on URL from the IdP. If you select Sign SAML Authentication Requests but don't specify a destination in Destination, Okta automatically sends the authorization request to the IdP Single Sign-On URL.
    IdP Signature Certificate Upload the certificate from the IdP that's used to sign the assertion. Click Browse files, select the certificate file, and then click Open.
    Request Binding

    Select the SAML Authentication Request Protocol binding that Okta uses to send SAML authorization request messages to the IdP.

    • HTTP POST: Select the HTTP POST method.
    • HTTP REDIRECT: Select the HTTP REDIRECT method.
    Request Signature Select Sign SAML Authentication Requests to sign SAML authorization request messages that Okta sends. If you select this option, Okta automatically sends the authorization request to the URL specified in the IdP Single Sign-On URL field.
    Request Signature Algorithm

    Select the signature algorithm that Okta uses to sign the SAML authorization messages that it sends to the IdP:

    • SHA-1: Select the SHA-1 algorithm.
    • SHA-256: Select the SHA-256 algorithm.
    Response Signature Verification

    Select the type of response signatures Okta accepts when validating incoming responses:

    • Response
    • Assertion
    • Response or Assertion
    Response Signature Algorithm

    Select the signature algorithm that Okta uses to validate the SAML messages and assertions that it receives from the IdP:

    • SHA-1: Select the SHA-1 algorithm.
    • SHA-256: Select the SHA-256 algorithm.
    Destination Enter the destination attribute that Okta sends in the SAML authorization request. If you don't enter a destination and you select Sign SAML Authentication Requests, Okta automatically sends the destination attribute as the URL specified in the IdP Single Sign-On URL field.
    Okta Assertion Consumer Service URL

    Select an option to specify whether to use a trust-specific assertion consumer service (ACS) URL or one that is shared across the organization.

    • Trust-specific
    • Organization (shared)
    Max Clock Skew Specify how long the assertion is valid. Enter a number and select the units. The authentication process calculates the difference between the current time and the time on the assertion timestamp to verify that the difference isn't more than the Max Clock Skew value.
  9. Click Finish.

Send Okta metadata

After you create an IdP, click Download metadata to access the Okta SAML metadata for this provider. Follow the IdP's instructions to provide metadata to them.

Security best practices

If you enable account linking, consider the following these best practices:

  • Configure an IdP

  • Authentication policies

  • Monitor events in the System Log

Configure an IdP

Use these settings:

  • Group Assignment: Specify the groups that you created for each external IdP.

  • If no match is found: Select Create new user (JIT) to provision users into your Okta org.

  • Account Link Policy: Consider disabling account linking after all existing users from the external IdP signed in to your Okta org. At this point, all links were created. After you disable linking, JIT provisioning adds new users that are created in the external IdP to Okta.

  • Filter: Select Only allow usernames that match defined RegEx Pattern.

    • If users from an external IdP have a different username domain than users from the Okta org, use a Regex pattern such as this example:

      ^[A-Za-z0-9._%+-]+@spokedomain\.com

    • If all users share the same domain, use a Regex pattern that excludes specific users. The list should include all known administrators in your Okta org. To allow any user except the ones explicitly mentioned, use this expression:

      ^((?!(admin\.user\.1@company\.com|admin\.user\.2@othercompany\.com)).)*$

      Users created by this expression are privileged accounts.

      The expression isn't dynamically updated. If new administrators or privileged users are created in your Okta org, you must update the expression manually.

Authentication policies

  • Prevent Okta admins from signing in to the parent org through federation from an external IdP. Create a global session policy to deny access for users in the Okta Administrators group if they're from an external IdP. You can select multiple IdPs. Set this policy to be evaluated first.
  • Prevent access to the Admin Dashboard for any users who sign in through federation from an external IdP. Create an authentication policy for each external IdP. Configure the policy to deny access to selected apps, such as the Admin Dashboard. You can restrict access to any sensitive apps.
  • If possible, require all Okta admins to use phishing-resistant authenticators. Create a global session policy to require multifactor authentication (MFA) for the Okta Administrators group. Configure authentication policy rules to require phishing-resistant authenticators.
  • Users with custom admin roles are considered part of the Okta Administrators group. Therefore, users with custom admin roles are included in policies that affect Okta Administrators.

Monitor events in the System Log

Use the System Log to review authentication events through the IdP.

Search for eventType eq "user.authentication.auth_via_IDP" and review events that have an Okta System (SystemPrincipal) actor and an end user target. These events indicate that an account linking operation occurred. If the target user is a privileged user or an administrator, review all events to ensure that any potential incidents are addressed.

Next steps

Add metadata for an Identity Provider

Add a SAML Identity Provider (2024)

FAQs

Add a SAML Identity Provider? ›

Select Security > Identity providers. Select your identity provider Directory. Select Set up SAML single sign-on. Add SAML details.

How to set up a SAML identity provider? ›

Select Security > Identity providers. Select your identity provider Directory. Select Set up SAML single sign-on. Add SAML details.

What is the difference between SAML and identity provider? ›

The identity provider authenticates the user's credentials and then returns the authorization for the user to the service provider, and the user is now able to use the application. SAML authentication is the process of verifying the user's identity and credentials (password, two-factor authentication, etc.).

What is an example of a SAML service provider? ›

In the airline example, when you arrive at the gate, the airline (service provider) checks your ID (SAML) assertion. The airline accepts your ID as it contains your details, and the identity card or passport passes scrutiny as a valid document.

How do I add an identity provider to my app service? ›

On your app's left menu, select Authentication, and then select Add identity provider. In the Add an identity provider page, select Microsoft as the Identity provider to sign in Microsoft and Microsoft Entra identities. For Tenant type, select Workforce configuration (current tenant) for employees and business guests.

Can I make my own IdP? ›

Creating your own identity provider

RemotePC allows you to create your own identity provider and configure for SSO. You will require the following parameters to implement your own IdP: RemotePC uses SAML 2.0 with the HTTP Redirect for binding RemotePC to IdP and expects the HTTP Post binding for IdP to RemotePC.

How to create your own identity provider? ›

Create a new identity provider

Click Settings > Providers. Choose an Inline identity provider type and click Next. Give your identity provider a Name.

Is Google a SAML identity provider? ›

Google offers a SAML-based SSO service that allows partner companies to authorize and authenticate hosted users who are trying to access secure content.

Is Okta a SAML identity provider? ›

Okta acts as the SAML IdP and uses SSO and MFA to authenticate the user. Okta returns an assertion to the client applications through the end user's browser.

Are SAML and SSO the same? ›

Security Assertion Mark-up Language (SAML) is an authentication standard that allows for federated identity management and can support single sign-on (SSO). SSO is an authentication scheme that allows a user to log in with a single ID and password to any independent or federated software systems.

Is SAML obsolete? ›

Like OIDC, the SAML protocol is not obsolete. Various industries (such as healthcare and education) use it to securely authenticate users by enabling secure exchanges of assertions about a user's identity between an identity provider and a service provider.

How do I know if SAML is enabled? ›

In the "Security" section of the sidebar, click Authentication security. Under "SAML single sign-on", select Enable SAML authentication.

How does an identity provider work? ›

Think of an IdP as being like a guest list, but for digital and cloud-hosted applications instead of an event. An IdP may check user identities via username-password combinations and other factors, or it may simply provide a list of user identities that another service provider (like an SSO) checks.

Should I use an identity provider? ›

IdPs enable SSO — employees can log in to the IdP and gain access to all the connected apps. This not only reduces the work that goes into managing credentials for the hundreds of apps each employee uses but also reduces password fatigue and the number of support calls to IT for forgotten passwords.

What is identity provider vs service provider? ›

A service provider is a federation partner that provides services to the user. The Identity Provider authenticates the user and provides an authentication token (that is, information that verifies the authenticity of the user) to the service provider.

What is the URL of the identity provider? ›

Identity Provider URL​

Identity Provider URL is the base path to an identity provider's OpenID connect discovery document. An example Azure URL would be https://login.microsoftonline.com/common/v2.0 for their discovery document.

How to become a SAML service provider? ›

Configure Auth0 as SAML Service Provider
  1. Get metadata and certificate from the IdP. ...
  2. Create SAML Enterprise connection in Auth0. ...
  3. Configure SAML connection for proxy gateways. ...
  4. Customize the request template. ...
  5. Template variables. ...
  6. Configure the IdP. ...
  7. Test connection. ...
  8. Troubleshoot connection.

How do I create a SSO provider? ›

Implementing SSO In 5 Steps
  1. Map Out The Applications You Want to Connect to SSO. Identify which applications should be part of your SSO structure. ...
  2. Integrate With Identity Provider (IdP) ...
  3. Verify The Data in Your Identity Directory. ...
  4. Evaluate User Privileges. ...
  5. Ensure The SSO System is Highly Available Secure.

How to build a SAML server? ›

Get started
  1. Verify components.
  2. Get an administrative access token.
  3. Create a token policy.
  4. Create a login policy.
  5. Create or modify a login client.
  6. Configure application client settings.
  7. Make an authorization request.
  8. Configure CNAMEs.

Top Articles
Latest Posts
Recommended Articles
Article information

Author: Otha Schamberger

Last Updated:

Views: 6256

Rating: 4.4 / 5 (55 voted)

Reviews: 86% of readers found this page helpful

Author information

Name: Otha Schamberger

Birthday: 1999-08-15

Address: Suite 490 606 Hammes Ferry, Carterhaven, IL 62290

Phone: +8557035444877

Job: Forward IT Agent

Hobby: Fishing, Flying, Jewelry making, Digital arts, Sand art, Parkour, tabletop games

Introduction: My name is Otha Schamberger, I am a vast, good, healthy, cheerful, energetic, gorgeous, magnificent person who loves writing and wants to share my knowledge and understanding with you.