Configure your Okta tenant as an Identity Provider

Configuring Okta as the Identity Provider (IdP) for Access Gateway involves three individual tasks.

You must have app admin and org admin privileges to complete these tasks.

  1. Create an Okta service account for Access Gateway

    Okta recommends that you create and use a dedicated service account to create the Access Gateway API key. This helps maintain accurate logs since Okta logs every action performed by an API key under the user that created the key.

    1. In the Admin Console, go to DirectoryPeople.
    2. Click Add person.
    3. Enter a name for the service account.
    4. Enter a placeholder email for the Username and Primary email. For example,

      Use placeholder values for the Username and Primary email to avoid interference between the service account and your account. Enter your email address as the Secondary email. Then, if you need to request a password reset, you're able to activate and maintain the service account.

    5. For the Secondary email, enter your valid administrator email.
    6. Select Send user activation email now and then click Save. The account is created and has a status of Pending user action.
    7. In the Admin Console, go to SecurityAdministrators.
    8. Click Add administrator.
    9. Select your service account in the Select admin dropdown.
    10. Select Application Administrator from the Role dropdown.
    11. Click Edit to configure the applications that the account can administrate. Click Constrain this role to the entire organization to allow the account to administrate all applications. Alternatively, you can create a resource set of the applications that the account can administrate. See Edit resources for a standard role assignment. Click Save resource set.
    12. Click Add assignment.
    13. Select Organization Administrator from the Role dropdown.
    14. Click Save.
    15. Sign out of your Okta administrator account.
    16. In the email account for your service account, open the activation email that you received from Okta and click the activation link.
    17. Set a password and a security question, and select a security image for the account.
    18. Upon completion, sign in with the new service account credentials.
  2. Create an Okta API token
    1. In the Admin Console, go to SecurityAPI.
    2. Click Create token.
    3. Enter a token name that identifies the token's purpose. For example, you might include Access Gateway or OAG in the name.
    4. Click Create token.
    5. Copy the Token Value and store it in a secure location, such as a password manager, for future reference. After you close this window, you can no longer view the token value.
    6. Click Ok, got it.
  3. Configure an IdP in Access Gateway
    1. In your browser, go to the Access Gateway Admin UI console and sign in as an administrator.
    2. Select the Settings tab.
    3. Click the Identity Providers pane.
    4. Click + and select OKTA.
    5. Enter the following:

      • Name: Enter a meaningful name for the IdP (for example, Okta IdP).

      • Okta Org: Enter your org (for example,,, or similar).

      • Okta API Token: Paste the token value that you copied from your Okta org when you created the Okta API token.

    6. Click Not Validated. This label changes to Validated when the Okta API Token is successfully validated,
    7. Click Okay. The Settings tab displays your Okta IdP status, which should be Valid.
    8. Click the Topology tab. Your IdP is represented by an icon labeled with the name that you entered.
    9. Click your IdP's icon. If it's configured correctly, you're redirected to your Okta tenant.