- Attribute Statements (Optional) – You can federate Okta user
profile field values to SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IDP, and the SP.
Here's how SAML works through Okta:
SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user.
IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on a chiclet, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. attributes. The Service Provider will use
the federated SAML attribute values accordingly.
This allows you to send SAML attributes based on roles using groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups.. The following steps are required.
- After creating a SAML appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in., select Directory > Profile Editor, and find the app you just created. Click the Profile button to the right of the app.
- In the Attributes screen that opens, click the Add Attribute button.
- Add a new attribute and set the Attribute Type to Group.
- Navigate to Applications > Application and click on the app name.
- In the screen that opens, select General. Then, click Edit in the SAML Settings section.
- In the screen that opens, click the Next button.
- In the Attribute Statements (Optional) section, type in the name of the attribute you just created in step 3. This value does not populate the drop box automatically. For the Value, type appuser, a period, and the attribute name. For example, if your attribute is named NewRole, the Value is appuser.NewRole.
- When done, click the Next button.
- On the Applications page, select Assignments. Click the Assign button, and select Assign to Groups. In the window, click Assign to the right of the group. You can verify these assignments with a SAML tracer.
For details on creating custom expressions, see Okta Expression Language.
- Group Attribute Statements (Optional) – If your orgThe Okta container that represents a real-world organization. supports a large number of groups, use this option to filter them into a single SAML assertion. Filtering options include Starts With, Equals, Contains, and Regex expressions.
- Preview SAML