Configure Okta as SAML Identity Provider
Configure Okta as a SAML identity provider by completing the following steps:
Configure Okta SAML integration
Configure SAML connection in Auth0.
Enable access to the connection.
Test connection.
Prerequisite
You must have an Okta Developer account.
Configure Okta SAML integration
Sign in to the Okta Developer Console.
Use the App Integration Wizard to add an application for use with Auth0.
Use the SAML App Wizard to create your SAML integration. When done, you'll be directed to the Sign On page for your newly-created app.
Click View Setup Instructions to complete the process.
Note the Identity Provider Single Sign-On URL, and download a copy of the X.509 certificate.
Configure SAML connection in Auth0
Go to Auth0 Dashboard > Authorization > Enterprise > SAML and click the plus icon to go to the page that allows you to create a new connection.
Provide the appropriate configuration settings for this connection. The only mandatory fields are as follows:
Setting Description Connection Name Connection name Sign In URL The Identity Provider Single Sign-On URL you noted from the Okta setup wizard X509 Signing Certificate Upload the certificate you downloaded from Okta. Click Save. In the next window, you'll be provided two options:
If you are a domain administrator, click Continue for additional instructions on SAML identity provider configuration.
If you are not, you can give your domain administrator the provided URL so that they can finish the configuration.
Enable and test connection access
Go to Auth0 Dashboard > Applications > Applications to see the list of applications associated with your Auth0 account.
Click Connections on its associated row.
Scroll to the Enterprise section, and enable the Okta connection for the associated application.
On the row associated with Okta, click Try to test the connection. If your test was successful, you'll see the It works! screen. If not, you'll see an error message containing details on what the issue might be.
The Try button works for users logged in to Auth0 dashboard. You can't send this to an anonymous user, such as a customer. If you don't have a Okta user, you'll need to configure IdP-initiated SSO so someone else can try on their portal.
The user might see the Okta dashboard after authenticating using a Service Provider-initiated login flow. If you integrated you application with Auth0 using the OIDC protocol, Auth0 takes the value of the state
parameter and passes it to Okta using the SAML RelayState
parameter. Make sure that you set state
to a value that Okta can use.
IdP-initiated SSO
Okta provides an Application Portal/Launcher for their users.
If you would like to support the Okta Application Portal/Launcher, change the Single Sign-on URL in the Okta dashboard to
https://{yourDomain}/login/callback?connection=YOUR_CONNECTION_NAME
Change
YOUR_CONNECTION_NAME
to the name of your Auth0 Connection.
See IdP-Initiated SSO for information on configuring your Auth0 Connection to route the incoming SAML Response.