Mapping Active Directory, LDAP, and Workday Values in a Template SAML or WS Fed Applications

When you integrate Okta with third party SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IDP, and the SP. 2.0 service providers using the Template SAML 2.0 application, you can now map Active Directory, LDAP, and Workday user values to SAML attributes. In addition to the standard Okta profile attributes (First Name, Last Name, Email, and Okta Username), you can use additional attributes that have been pulled into Okta from Workday, Active Directory, and other LDAP directories.

NOTE: It is strongly recommended to use the SAML AppAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. integration Wizard instead of this Template SAML app for creating new SAML integrations via the UI. The Wizard is both more powerful and easier to use than the Template and will get even better over time. The ability to create new Templates may also be restricted in the future. However, existing Templates will continue to be supported. See Using the App Integration Wizard for more details.

To configure your Template SAML 2.0 application, perform the following steps:

  1. From the Administrator Dashboard, select Applications and click the Add Applications button.

  2. Enter Template SAML 2.0 App in the search field and select it.

  3. After configuring the General Settings for this app, select the Sign On tab and click the View Setup Instructions link.

    Note: For a list of the supported values, select the Active Directory, LDAP, or Workday link on this page.


  4. Identify the instanceId for the repository you want to use. The instanceId of all the configured Active Directory, LDAP, and Workday instances are available on your screen. For example, in the screenshot below, you can see an LDAP instance with the ID of "0oa1npu9k2M2FZAGTMPV". Use that instanceID for each attribute referenced in the mapping.


  5. On the General tab of the Template SAML 2.0 app, configure the attribute statement field to map user values to SAML attributes. For each repository type (Active Directory, LDAP, and Workday), the attribute names and lists are slightly different. Make sure you use the corresponding attribute names for your repository. The Application Specific Attributes section provides a list of the Active Directory, LDAP, and Workday attribute names and formats that are available.

    Note: The maximum characters allowed in a SAML attribute is 1024 characters. The attribute formatting information is not required. If you run out of space in this attribute statement, try removing the format statement below for each attribute; for example urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified.