Application Integration Wizard SAML field reference

General Settings

App logo Upload a logo to use for your integration in the Okta org. The logo must be in PNG, JPG, or GIF format, and be smaller than 1 MB.

For best results, use a PNG image with a transparent background and a landscape orientation. Use a minimum resolution of 420 x 120 pixels to prevent upscaling.

App visibility Select Do not display application icon to users to hide your integration from end users.

SAML Settings

General
Single sign-on URL

The location to send the SAML assertion using a POST operation. This URL is required and serves as the default Assertion Consumer Services (ACS) URL value for the Service Provider (SP). This URL is always used for Identity Provider (IdP) initiated sign-on requests.

The Single-sign on URL can't contain underscores (_).

Use this for Recipient URL and Destination URL is selected by default. This setting uses the same URL for both the recipient and destination URLs. If your integration requires different URLs, clear the checkbox and provide values for the following fields:

  • Recipient URL: The location where the app can present the SAML assertion. This is usually the Single Sign-On (SSO) URL.
  • Destination URL: The location to send the SAML Response, as defined in the SAML assertion.
Audience URI (SP Entity ID) The intended audience of the SAML assertion. This is usually the Entity ID of your app.
Default RelayState The URL of the resource to direct users after they successfully sign in to the SP using SAML. See the SP documentation to check if you need to specify a RelayState. In most instances, you can leave this field blank.
Name ID format The username format to send in the SAML Response.

Use the default (Unspecified) if the app documentation doesn't explicitly specify a format.

When NameIdPolicy is included in the SAML Request, the Name ID format must match it.

Application username format The default value to use for a user's app username.

To maintain security, don't define the app username using fields that end users can edit.

Update application username on Choose when to update the app username.

Create and update is the default used by all Application username types. If Application username is Custom, you can choose to update the app username on Create only. This setting prevents the username from changing, even when the value of a field that defines part of the custom username changes.

Expand Show Advanced Settings to access the following settings:

Advanced Settings
Response Choose whether the IdP digitally signs the SAML authentication response message.
Assertion Signature Choose whether the SAML assertion is digitally signed.
Signature Algorithm The signing algorithm that's used to digitally sign the SAML assertion and response.
Digest Algorithm The digest algorithm that's used to digitally sign the SAML assertion and response.
Assertion Encryption Choose whether the SAML assertion is encrypted.
Encryption Algorithm The encryption algorithm used to encrypt the SAML assertion.

This field appears when Assertion Encryption is Encrypted.

Key Transport Algorithm The key transport algorithm used to encrypt the SAML assertion.

This field appears when Assertion Encryption is Encrypted.

Encryption Certificate The file that contains the public key certificate (in PEM format) used to encrypt the SAML assertion.

This field appears when Assertion Encryption is Encrypted.

Signature Certificate The file that contains the public key certificate (in PEM format) used to validate the SAML sign-in request and the Single Logout (SLO) request.
Enable Single Logout Allows users to sign out of both a configured custom app and Okta with a single click (but not out of other apps that are open). See the Single Logout Profile section in Profiles for the OASIS Security Mark Up Language (SAML) version 2.0.

This checkbox appears after you upload a Signature Certificate.

If SLO is enabled, the SAML setup instructions for your app should include a field for the Identity Provider Single Logout URL.

Single Logout URL Specify where to send the sign-out response.

This field appears when Enable Single Logout is selected.

If you've enabled the Early Access feature for Front Channel Single Logout, this configuration has changed. See Enable SLO for SAML integrations (with front-channel option).

SP Issuer The issuer ID for the service provider.

This field appears when Enable Single Logout is selected.

Signed Requests Select this to validate all SAML requests using the Signature Certificate. The payload from the SAML request is validated, and Okta dynamically reads any single sign-on (SSO) URLs from the request.

This checkbox appears after you upload a Signature Certificate.

When Signed Requests is enabled, the SAML Request must include a NameIDPolicy.

Other Requestable SSO URLs For use with SP-initiated sign-in flows. Enter the ACS URLs for any other requestable SSO nodes used by your app integration. This option enables apps to choose where to send the SAML Response. Specify a URL and an index that uniquely identifies each ACS URL endpoint.

Some SAML AuthnRequest messages don't specify an index or URL. In these cases, the SAML Response is sent to the ACS specified in the Single sign on URL field.

When you enable Signed Requests, Okta deletes any previously defined static SSO URLs and reads the SSO URLs from the signed SAML request instead. You can't have both static SSO URLs and dynamic SSO URLs.

Assertion Inline Hook An Assertion Inline Hook is an outbound call from Okta to an external service that you created. This type of Inline Hook is triggered when Okta generates a SAML assertion in response to an authentication request. Before sending the SAML assertion to the app that consumes it, Okta calls out to your external service. The external service can respond with commands to add attributes to the assertion or modify its existing attributes.

To have Okta call your external service, select the endpoint for the service from the dropdown list. If this option is left set to None (disabled), then no external service is called when an Assertion Inline Hook is triggered. See Inline Hooks, SAML Assertion Inline Hook Reference, and Enabling a SAML Assertion Inline Hook.

Authentication context class The type of authentication restriction for the SAML assertion. Consult the SP documentation to obtain this information.
Honor Force Authentication Set to Yes to prompt users for their credentials when a SAML request has the ForceAuthn attribute set to true. Users are prompted to enter their credentials, even if they normally sign in through Desktop SSO. If this option is set to No, the attribute is ignored.
Logout

Early Access release. See Enable self-service features.

Specify whether an app or the user initiates Single Logout.

  • User is logged out of other participating apps and Okta: Sign the user out of all Single Logout apps and Okta when an app initiates the sign-out action.
    • Response URL: Enter the URL that receives the Single Logout response from Okta.
    • SP Issuer: Enter the URL of the service provider that issues the Single Logout response.
  • User logs out of other logout-initiating apps or Okta: Sign the user out of all Single Logout apps and Okta when the user signs out of a Single Logout app or Okta.
    • Logout request URL: Enter the URL where Okta sends the logout request.
    • Request binding: Select the binding type for the logout request URL.
    • User session details: Select Include user session details to end a specific user session instead of all active user sessions.
SAML Issuer ID Use this option when you need to override an Issuer ID. An override is required when more than one sign-in exists for a single app. It can also be used when you have an integration that requires extra attributes. Enter the Issuer ID to override the default value of http://www.okta.com/$(org.externalKey). Obtain the External Key from the setup instructions of the current working app instance.
Maximum app session lifetime

Configure the maximum session lifetime when users sign in to the app you're integrating.

Select Send value in response to include the value in the SAML assertion.

Enter a number in the first field, and then select the time unit from the dropdown list.

Attribute Statements (optional)

Define custom attribute statements for the integration. These statements are inserted into the SAML assertions shared with your app. See Define attribute statements.

If you've enabled the Early Access Entitlement SAML Assertions and OIDC Claims feature, this option appears when you edit your app integration.

See Generate claims for federated apps.

Group Attribute Statements (optional) If your Okta org uses groups to categorize users, you can add group attribute statements to the SAML assertion shared with your app. See Define group attribute statements.

If you've enabled the Early Access Entitlement SAML Assertions and OIDC Claims feature, this option appears when you edit your app integration.

See Generate claims for federated apps.

Related topics

Create SAML app integrations

Assign applications to users

Assign an app integration to a group