Mapping Active Directory, LDAP, and Workday Values in a Template SAML or WS Fed Applications
When you integrate Okta with third party SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IdP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on an app, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. 2.0 service providers using the Template SAML 2.0 application, you can now map Active DirectoryActive Directory (AD) is a directory service that Microsoft developed for the Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management., LDAPLightweight Directory Access Protocol (LDAP) is a lightweight client-server protocol for accessing directory services, specifically X.500-based directory services. LDAP runs over TCP/IP or other connection oriented transfer services., and Workday user values to SAML attributes. In addition to the standard Okta profile attributes (First Name, Last Name, Email, and Okta Username), you can use additional attributes that have been pulled into Okta from Workday, Active Directory, and other LDAP directories.
NOTE: It is strongly recommended to use the SAML AppAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. integration Wizard instead of this Template SAML app for creating new SAML integrations via the UI. The Wizard is both more powerful and easier to use than the Template and will get even better over time. The ability to create new Templates may also be restricted in the future. However, existing Templates will continue to be supported. See Using the App Integration Wizard for more details.
To configure your Template SAML 2.0 application, perform the following steps:
From the Administrator Dashboard, select Applications and click the Add Applications button.
Enter Template SAML 2.0 App in the search field and select it.
After configuring the General Settings for this app, select the Sign On tab and click the View Setup Instructions link.
Note: For a list of the supported values, select the Active Directory, LDAP, or Workday link on this page.
Identify the instanceId for the repository you want to use. The instanceId of all the configured Active Directory, LDAP, and Workday instances are available on your screen. For example, in the screenshot below, you can see an LDAP instance with the ID of "0oa1npu9k2M2FZAGTMPV". Use that instanceID for each attribute referenced in the mapping.
On the General tab of the Template SAML 2.0 app, configure the attribute statement field to map user values to SAML attributes. For each repository type (Active Directory, LDAP, and Workday), the attribute names and lists are slightly different. Make sure you use the corresponding attribute names for your repository. The Application Specific Attributes section provides a list of the Active Directory, LDAP, and Workday attribute names and formats that are available.
Note: The maximum characters allowed in a SAML attribute is 1024 characters. The attribute formatting information is not required. If you run out of space in this attribute statement, try removing the format statement below for each attribute; for example urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified.