Add a SAML Identity Provider

Adding a SAML Identity Provider (IdP) is the first step in the process of configuring inbound SAML.

Start this task

  1. In the Admin Console, go to Security > Identity Providers.
  2. Click Add Identity Provider, and then select Add SAML 2.0 IdP.
  3. Configure the General Settings. If a View Setup Instructions link appears, click it first. Some providers have their own detailed instructions.
    NameThe name that you choose for this IdP.
    ProtocolOnly SAML 2.0 is supported.
  1. Configure Authentication Settings.
    IdP username

    The entity in the SAML assertion than contains the username. The drop-down list contains the default value, saml.subjectNameId.

    You can enter an expression to reformat the value. For example, if the username in the SAML assertion is john.doe@mycompany.okta.com, you could specify the replacement of mycompany.okta with endpointA.mycompany to make the transformed username john.doe@endpointA.mycompany.com. If you want to enter an expression, use the Okta Expression Language syntax.

    Filter

    Select Filter only if you want to enter an expression as a username filter. Specifying a filter limits the selection of usernames before authentication.

    Match against

    Select the field in Okta against which the Transform username is authenticated.

    Account Link PolicySpecify whether Okta automatically links the user's IdP account with a matching Okta account.
    Auto-Link RestrictionsWhen automatic account linking is enabled, indicate whether you want to restrict linking to specified user groups.
    If no match is found

    Specify whether to create a new user account with Just In Time (JIT) provisioning or to redirect the end user to the Okta Sign-In page.

    Note that for the first option, JIT provisioning must be enabled in two places:

    1. In this modal, by clicking Create new user (JIT).

    2. In SettingsCustomizationJust In Time Provisioning, by clicking Enable Just In Time Provisioning.

  1. Configure JIT Settings.
    Profile SourceWhen this box is selected, existing users are updated with the information in this SAML assertion. Profile information will not push if this box is not selected.

    Reactivation Settings

    These options are visible if you selected Update attributes for existing users.

    Reactivate users who are deactivated in Okta: Allow admins to choose if a deactivated Okta user should be reactivated when reactivated in the app.

    Unsuspend users who are suspended in Okta: Allow admins to choose if a suspended Okta user should be unsuspended when reactivated in the app.

    Group Assignments

    Specify the groups to which the users in the SAML assertion should be added. Choose one of the options from the drop-down menu. Each option requires different information.

    • None: Do not assign the authenticated users to any groups. No other information is required.

    • Assign to specific groups: Assign each user to the groups listed in the Specific Groups field. You must enter one or more groups in the field.

    • Add user to missing groups: Users are added to any groups in the SAML assertion of which they are not already members. (Users are not removed from any groups of which they are already members.) In the SAML Attribute Name field, enter the name of the SAML attribute (in the attribute statements from the SAML assertion) whose values represent group memberships. Those values are compared to the groups specified in the Group Filter field, and matching values determine the groups to which the user is assigned during JIT. The Group Filter field acts as a security allowlist. List the groups that you want the IdP to assign to users dynamically. This allows you to control which users are assigned to certain groups. You must enter the SAML Attribute Name and list one or more Okta groups in the Group Filter field.

    • Full sync of groups: This option assigns users to the group represented by the attribute specified in the SAML Attribute Name if that group is listed in the Group Filter.

    Note that If the user is a member of any Okta group that does not match the values represented by the attribute in the SAML Attribute Name field, the user is deleted from the Okta group.

  1. Configure SAML Protocol Settings.
    IdP Issuer URIThe issuer URI from the IdP.
    IdP Single Sign-On URLThe sign-on URL from the IdP. If you sign the authN request by selecting the Request Signature option but do not specify a destination in the Destination field (see Advanced Settings), Okta automatically sends the authN request to the IdP Single Sign-On URL.
    IdP Signature CertificateCertificate from the IdP used to sign the assertion.
  1. Optional. Configure Advanced Settings.
    Request BindingThe SAML Authentication Request Protocol binding used by Okta to send SAML AuthNRequest messages to the IdP. Usually HTTP POST.
    Request SignatureSpecify whether to sign SAML AuthnRequest messages that are sent from Okta. If you sign the authN request by selecting this option, Okta automatically sends the authN request to the URL specified in the IdP Single Sign-On URL field
    Request Signature AlgorithmSpecify the signature algorithm used to sign SAML authN messages sent to the IdP.
    Response Signature Verification

    Specify the types of response signatures Okta will accept when validating incoming responses: Response, Assertion, or Response or Assertion.

    Response Signature Algorithm

    Specify the minimum signature algorithm when validating SAML messages and assertions issued by the IdP: SHA-1 or SHA-256.

    Destination

    The destination attribute sent in the SAML authN request. If you do not enter a destination and you sign the authN request by selecting the Request Signature option, Okta automatically sends the destination attribute as the URL specified in the IdP Single Sign-On URL field (the SSO URL).

    Okta Assertion Consumer Service URL

    Specify whether to use a trust-specific assertion consumer service (ACS) URL or one that is shared across the organization.

    Max Clock Skew

    Specify how long the assertion is valid. Enter a number and select the units. The authentication process calculates the difference between the current time and the time on the assertion timestamp to verify that the difference is not more than the Max Clock Skew value.

  1. Click Add Identity Provider.

Send Okta Metadata

After you create an IdP, click Download metadata to access the Okta SAML metadata for this provider. Follow the IdP's instructions to provide metadata to them.

Next step

Add metadata for an Identity Provider