Document toolboxDocument toolbox

Configuring SAML 2.0 Application for OKTA

Owned by Shirly Tsang
Last updated: Apr 01, 2024 by Alex Mandel
4 min read

Before you configure the SAML federation, ensure that you have already completed the following:

To create a SAML application on your OKTA 3rd party IdP instance, complete the following:

Note

Ensure that you have access to an OKTA account for configuring SSO federation.
  1. Log in to the OKTA instance for your 3rd party IdP and click the admin button on the top right to get to the administration menu.
    1. If there is a Developer Console drop-down on the top left, click it and choose Classic UI.
  2. On the General Settings page, add the SAML application, as follows:
    1. Select the Application menu -> Applications.
    2. Click Create App Integration.
    3. In the Create a New Application Integration dialog box, enter the following, and then click Next:
      • Choose SAML 2.0.
  3. On the General Settings page, add your SAML Application Name (i.e. Infoblox) and click Next.
  4. On the SAML application page, add the HUB ACS URL and Audience URI (values copied when you generate the Audience Keys) to the Single Sign on URL and Audience URI (SP Entity ID) fields in your SAML application respectively.
  5. Select the Use this for Recipient URL and Destination URL check box under the Single Sign on URL section.
  6. Complete the following:
    • Name ID format: Choose Email Address from the drop-down menu.

    • Application username: Choose Email from the drop-down menu.
      The subjectNameID in the SAML assertion must be the user’s email address, and the email address must have a domain name that matches the domain for which the federation is being configured.

  7. Scroll to the bottom of the page and complete the following in the GROUP ATTRIBUTE STATEMENTS (OPTIONAL) section to add a group attribute:
    • Name: Enter groups in the field. Do not include quotes or other characters.
    • Name format (optional): Leave this as Unspecified.
    • Filter: Choose Matches regex from the drop-down list and enter .*
  8. Click Next.
  9. On the Edit SAML Integration page, complete the Help Okta Support understand how you configured this application section, as follows: 
    • Are you a customer or partner?: Select I'm an Okta customer adding an internal app.
    • App type: Select the This is an internal app we have created check box.
  10. Click Finish to save your SAML configuration. After you finish the SAML configuration, click View Setup Instructions to complete the setup.
  11. After you click View Setup Instructions, from the new browser tab, ensure that you copy the required values for adding your Identity Provider in the SSO portal’s Configure SAML section. You can copy these to a notepad application or one at a time while in the SSO portal itself, based on your preference. For ease of use, copy the values from the View Setup Instructions page, so you can enter them in the SSO Portal’s Configure SAML section, in the following order:
    • Identity Provider Single Sign-On URL
    • Identity Provider Issuer
    • X.509 Certificate key (minimum digital signature of SHA-256 is required)

      You must enter the information in this order when configuring SAML in the SSO Portal.

      The following is an example of the information for View Setup Instructions:

      The screenshot shows values for 1.Identity Provider Single Sing-On URL, 2.Identity Provider Issues, and 3.x.509 Certificate.

  12. Once the SAML application configuration is complete, check the following to verify the admin and test users are assigned to the SAML application in your IdP OKTA portal:
    1. Click Directory -> People.
    2. Select the desired user and click Assign Application.

    3. Select Applications and add the SAML application.
      Ensure that all desired users in the domain are assigned to the SAML application. Neglecting to do this will result in authentication failures for all unassigned users.

    4. Click Directory -> Groups
    5. Select the link for the desired group name
    6. Select Manage People, then select the desired user and select the + button next to their name in the UI (this will add them to the group).
    7. Select Manage Apps. In the popup dialog box, select Assign for the SAML application, and then click Save.
    8. Once the desired users are added to the desired group, click Save. Repeat as necessary for desired groups & users.
      At this point, desired users and groups have been assigned to the Infoblox SAML application and you are now free to leave your OKTA instance and complete IdP configuration inside the SSO portal. The following steps describe how to configure a SAML application in the SSO Portal.
  13. In the Infoblox SSO Portal, go to Authentication -> 3rd Party IdP, and then click Configure SAML.
  14. Enter the following values that you copied from the SAML configuration:
    1. IDP Single Sign-On URL:  Identity Provider Single Sign-On URL.
    2. IDP Issuer URI: Identity Provider Issuer.

    3. Signature Certificate: X.509 Certificate key without BEGIN CERTIFICATE and END CERTIFICATE lines. The SSO Portal supports Base64 certificates with the following file extensions: .crt, .pem, and .ca-bundle. Minimum digital signature of SHA-256 is required.

      The screenshot shows a dialog box for configuring a third-party IDP. It contains the fields for IDP Single Sign-On URL, IDP Issuer URI, and Signature Certificate.

      If you receive an error message about the certificate, go to the beginning of the last line of the certificate and hit backspace to remove extra spaces in the previous line. You might need to repeat the same process for any lines that might include extra spaces.

  15. Click Save & Close.
  16. After you have configured the SAML application, you can complete the following configuration:
    1. Mapping User Groups
    2. Testing 3rd Party IdP Authentication
    3. Activating 3rd Party IdP Authentication

    You can also perform the following after you set up 3rd party IdP authentication: