Administer Identity Providers
Overview
The purpose of guide is to describe Access Gateway Identify Providers and how they can be created, used and managed.
Concepts
Identify Providers provide:
- Identity federation between Access Gateway and Okta tenants/local identity providers.
- Services such as:
- Authorization and authentication support.
- Application data for identification and policy decisions.

To add an Okta Tenant as an IDP:

-
In your browser, Navigate to your Okta OrgThe Okta container that represents a real-world organization. and Login as an Administrator.
Best Practice
Okta recommends creating a specific Service Account in Okta that will be used to create the Access Gateway API key. This is important because every action performed by an API key is logged under the user that created the key. In the interest of maintaining accurate logs, a dedicated Access Gateway Service Account is recommended.
- Navigate to the Directory > People section.
- Click Add Person.
- Enter a descriptive First name and Last name for the Service Account naming fields (i.e Service AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page.). Enter a dummy email (i.e. service.admin@domain.com) for the Username and Primary email.
Best Practice
Use a dummy value for the Username and Primary email fields so that there is not interference between the Service Account and your own account in the event of a password reset request, etc. Adding your own email address to the Secondary email field ensures you can activate and maintain the Service Account.
- Enter your valid Administrator Email in the Secondary email field. . Click the Send user activation email checkbox, and click Save.
- You should now see your newly created Service Account under the Activated people tab with a Password reset status.
- Navigate to the Security → Administrators section.
- Click Add Administrator.
- Enter the name of the Service Account created earlier in the Grant administrator role to field. . Click the Super Administrator checkbox, and click Add Administrator.
- You should now have two Super Administrator accounts.
- Sign out of your Okta Admin Account.
- In your email, open the Service Account Activation Email you received from Okta and click the Activation link.
- After clicking the link, you will be asked to create a password, answer a security question, and select an account security image.
- Upon completion, log in with the new Service Account credentials.

-
In the Service Account Dashboard, select Security → API from the menu options.
-
On the API page, click Create Token.
-
Enter a Token Name in the pop-up window, and click Create Token.
Best Practice: Use a name that easily identifies the token’s purpose. In this case, the token is being used in an Access Gateway appliance, so including "Access Gateway" or "OAG" and other relevant information is recommended
- Copy the displayed Token Value in a safe place before clicking Ok, got it
-
Warning: Once you close the pop-up window, you can never display the token value again! Please ensure you copy the token to a safe, secure location (such as a password manager or secure note database) for future reference.

- In your browser, navigate to the Access Gateway Admin UI and login as an administrator.
- Select the Settings tab.
- Click the Identity Providers pane.
- Click the + button, and Select OKTA.
- Enter an appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. name in the Name field, fill out the Okta Org URL and Okta API Token fields with the value generated earlier, and click Not Validated.
- Once the Okta API Token is validated, the Not Validated button will turn green and change to [Validated]
- Click Okay.
- The Settings tab will now display your Okta IDP status; verify it displays a Valid status.
- Navigate to the Topology tab to test the IDP’s connection.
- Click the Okta IDP icon to be redirected to your Okta tenant.

To Add a local idP:
- In your browser, navigate to the Access Gateway Admin UI and login as an administrator.
- Select the Settings tab,
- Click the Identity Providers pane.
- Click the + button, and Select Local SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IdP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on an app, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. IDP.
- Enter the following fields:
Field
Description
Example
Name
Required. Unique name that identifies the IDP. Display in the list of IDPs
My Local IDP
Host
Required. A unique access Gateway hosted domainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https).. Must not match any others
idp.domain.tld
Cookie Domain
Required. A unique Access Gateway hosted domain name. This must not match existing Access Gateway domain names.
domain.tld
Default Auth Module
Required. A previously created auth module
See Administer Auth Modules for more information.
Name Attribute
Required. Attribute to be obtained from the remote Active DirectoryActive Directory (AD) is a directory service that Microsoft developed for the Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management.
email
Name Attribute Format
Required. Defines the Name Format used in the SAML assertion. Select one of the values from the drop down list.
Email address
- Click Okay to complete creation of the IDP or Cancel to cancel.
- After any creation of update all Identify Providers will be validated. Valid identify provider will show status Valid (
).
Next Steps
- Manage Authorization Modules. For more information see Administer Auth Modules.
- Use attributes in applications. For more information see Application Attributes.
- Use behaviors in applications. For more information see Administer Behaviors.
- Use policies in applications. For more information see Application Policy Overview