FusionAuth developer image
FusionAuth developer logo
  • Back to site
  • Expert Advice
  • Blog
  • Developers
  • Downloads
  • Account
  • Contact sales
Navigate to...
  • Welcome
  • Getting Started
  • 5-Minute Setup Guide
  • Release Notes
  • Core Concepts
    • Overview
    • Users
    • Roles
    • Groups
    • Entity Management
    • Registrations
    • Applications
    • Tenants
    • Identity Providers
    • Key Master
    • SCIM
    • Search
    • Authentication and Authorization
    • Integration Points
    • Localization and Internationalization
    • Editions and Features
    • Roadmap
  • Installation Guide
    • Overview
    • System Requirements
    • Server Layout
    • Cloud
    • Cluster
    • Docker
    • Fast Path
    • Kubernetes
      • Overview
      • Deployment Guide
      • Minikube Setup
      • Amazon EKS Setup
      • Google GKE Setup
      • Microsoft AKS Setup
    • Kickstart™
    • Homebrew
    • Packages
    • Database
    • FusionAuth App
    • FusionAuth Search
    • Common Configuration
  • Admin Guide
    • Overview
    • Account Portal
    • Config Management
    • Licensing
    • Monitoring
    • Proxy Setup
    • Securing
    • Technical Support
    • Troubleshooting
    • Upgrading
  • Migration Guide
    • Overview
    • General
    • Auth0
    • Keycloak
    • Amazon Cognito
    • Firebase
    • Tutorial
  • APIs
    • Overview
    • Authentication
    • Errors
    • Actioning Users
    • API Keys
    • Applications
    • Audit Logs
    • Connectors
      • Overview
      • Generic
      • LDAP
    • Consents
    • Emails
    • Entity Management
      • Overview
      • Entities
      • Entity Types
      • Grants
    • Event Logs
    • Families
    • Forms
    • Form Fields
    • Groups
    • Identity Providers
      • Overview
      • Links
      • Apple
      • External JWT
      • Epic Games
      • Facebook
      • Google
      • HYPR
      • LinkedIn
      • Nintendo
      • OpenID Connect
      • SAML v2
      • SAML v2 IdP Initiated
      • Sony PlayStation Network
      • Steam
      • Twitch
      • Twitter
      • Xbox
    • Integrations
    • IP Access Control Lists
    • JWT
    • Keys
    • Lambdas
    • Login
    • Message Templates
    • Messengers
      • Overview
      • Generic
      • Kafka
      • Twilio
    • Multi-Factor/Two Factor
    • Passwordless
    • Reactor
    • Registrations
    • Reports
    • SCIM
      • Overview
      • SCIM EnterpriseUser
      • SCIM Group
      • SCIM Service Provider Config.
      • SCIM User
    • System
    • Tenants
    • Themes
    • Users
    • User Actions
    • User Action Reasons
    • User Comments
    • Webhooks
  • Client Libraries
    • Overview
    • Dart
    • Go
    • Java
    • JavaScript
    • .NET Core
    • Node
    • OpenAPI
    • PHP
    • Python
    • Ruby
    • Typescript
  • Themes
    • Overview
    • Examples
    • Helpers
    • Localization
    • Template Variables
  • Email & Templates
    • Overview
    • Configure Email
    • Email Templates
    • Email Variables
    • Message Templates
  • Events & Webhooks
    • Overview
    • Writing a Webhook
    • Securing Webhooks
    • Events
      • Overview
      • Audit Log Create
      • Event Log Create
      • JWT Public Key Update
      • JWT Refresh
      • JWT Refresh Token Revoke
      • Kickstart Success
      • User Action
      • User Bulk Create
      • User Create
      • User Create Complete
      • User Deactivate
      • User Delete
      • User Delete Complete
      • User Email Update
      • User Email Verified
      • User IdP Link
      • User IdP Unlink
      • User Login Failed
      • User Login Id Duplicate Create
      • User Login Id Duplicate Update
      • User Login New Device
      • User Login Success
      • User Login Suspicious
      • User Password Breach
      • User Password Reset Send
      • User Password Reset Start
      • User Password Reset Success
      • User Password Update
      • User Reactivate
      • User Registration Create
      • User Registration Create Complete
      • User Registration Delete
      • User Registration Delete Complete
      • User Registration Update
      • User Registration Update Complete
      • User Registration Verified
      • User Two Factor Method Add
      • User Two Factor Method Remove
      • User Update
      • User Update Complete
  • Example Apps
    • Overview
    • Dart
    • Go
    • Java
    • JavaScript
    • .NET Core
    • PHP
    • Python
    • Ruby
  • Lambdas
    • Overview
    • Apple Reconcile
    • Client Cred. JWT Populate
    • Epic Games Reconcile
    • External JWT Reconcile
    • Facebook Reconcile
    • Google Reconcile
    • HYPR Reconcile
    • JWT Populate
    • LDAP Connector Reconcile
    • LinkedIn Reconcile
    • Nintendo Reconcile
    • OpenID Connect Reconcile
    • SAML v2 Populate
    • SAML v2 Reconcile
    • SCIM Group Req. Converter
    • SCIM Group Resp. Converter
    • SCIM User Req. Converter
    • SCIM User Resp. Converter
    • Sony PSN Reconcile
    • Steam Reconcile
    • Twitch Reconcile
    • Twitter Reconcile
    • Xbox Reconcile
  • Identity Providers
    • Overview
    • Apple
    • Epic Games
    • External JWT
      • Overview
      • Example
    • Facebook
    • Google
    • HYPR
    • LinkedIn
    • Nintendo
    • OpenID Connect
      • Overview
      • Azure AD
      • Discord
      • Github
    • Sony PlayStation Network
    • Steam
    • Twitch
    • Twitter
    • SAML v2
      • Overview
      • ADFS
    • SAML v2 IdP Initiated
      • Overview
      • Okta
    • Xbox
  • Messengers
    • Overview
    • Generic Messenger
    • Kafka Messenger
    • Twilio Messenger
  • Connectors
    • Overview
    • Generic Connector
    • LDAP Connector
    • FusionAuth Connector
  • Self Service Account Mgmt
    • Overview
    • Updating User Data & Password
    • Add Two-Factor Authenticator
    • Add Two-Factor Email
    • Add Two-Factor SMS
    • Customizing
    • Troubleshooting
  • Advanced Threat Detection
    • Overview
  • Integrations
    • Overview
    • CleanSpeak
    • Kafka
    • Twilio
  • OpenID Connect & OAuth 2.0
    • Overview
    • Endpoints
    • Tokens
  • SAML v2 IdP
    • Overview
    • Google
    • Zendesk
  • Plugins
    • Plugins
    • Writing a Plugin
    • Custom Password Hashing
  • Guides
    • Overview
    • Advanced Registration Forms
    • Breached Password Detection
    • Multi-Factor Authentication
    • Multi-Tenant
    • Passwordless
    • Securing Your APIs
    • Silent Mode
    • Single Sign-on
  • Tutorials
    • Overview
    • User Control & Gating
      • Gate Unverified Users
      • Gate Unverified Registrations
      • User Account Lockout
    • Setup Wizard & First Login
    • Register/Login a User
    • Start and Stop FusionAuth
    • Authentication Tokens
    • Key Rotation
    • JSON Web Tokens
    • Prometheus Setup
    • Switch Search Engines
    • Two Factor (pre 1.26)
  • Reference
    • CORS
    • Configuration
    • Data Types
    • Known Limitations
    • Password Hashes

    SAML v2 IdP Initiated With Okta

    FusionAuth Reactor logo

    This feature is only available in paid editions of FusionAuth. Please visit our pricing page to learn more about paid editions.

    Configure SAML v2 IdP Initiated SSO With Okta

    This page will guide you in configuring a SAMLv2 IdP Initiated Identity Provider with Okta as the initiating IdP. You will be able to visit an Okta provided link, authenticate and then be logged in to FusionAuth.

    This document assumes you have an admin account with Okta and a valid FusionAuth paid edition license.

    • Configure SAML v2 IdP Initiated SSO With Okta

    • Create and Partially Configure the Okta SSO Application

    • Add the Okta Public Certificate to FusionAuth

    • Add the SAMLv2 IdP Initiated Identity Provider

    • View the Identity Provider in FusionAuth

    • CORS Settings

    • Configure the FusionAuth Application Redirect URL

    • Complete SSO Configuration in Okta

    • Test It Out

    Create and Partially Configure the Okta SSO Application

    Navigate to the Okta admin screen, and add an application. Search for SAML Service Provider and add this type of application.

    Setting up a SAMLv2 application in Okta

    Add an Application label describing the application. Configure any other "General Settings" as needed.

    General settings tab when creating a SAMLv2 application in Okta

    Click "Next". You will arrive at the "Sign-On Options" section.

    Sign-on settings tab when creating a SAMLv2 application in Okta

    Click "View Setup Instructions". This will open needed instructions in a separate browser tab:

    Configuration instructions for the SAML SP when creating a SAMLv2 application in Okta

    Record the Identity Provider Issuer and Identity Provider HTTP Post URL values. The former is a string such as exkq14ymac31Bx7895d6. There may be a typo in the instructions with the string is prefixed to the Identity Provider Issuer.

    Download the "Identity Provider Certificate" too, then close the instructions tab.

    Add the Okta Public Certificate to FusionAuth

    Log in to the FusionAuth administrative user interface and navigate to Settings → Key Master.

    Import the Okta provided certificate you just downloaded.

    Adding the Okta certificate to Key Master

    Add the SAMLv2 IdP Initiated Identity Provider

    Navigate to Settings → Identity Providers. Add a SAMLv2 IdP Initiated Provider.

    • Configure the Name with a descriptive value.

    • Set the Issuer value to the Identity Provider Issuer value from Okta.

    • Set the Verification key to the public certificate you just imported.

    Enable this Identity Provider for any FusionAuth applications. For this example, Pied Piper allows use of this Identity Provider.

    Any users who authenticate with Okta will be registered for this application because of the Create registrations setting.

    All other options may be left with default values. Save the configuration.

    Adding the IdP Initiated SSO Identity Provider

    View the Identity Provider in FusionAuth

    View the created Identity Provider and navigate to the SAML v2 Integration details section.

    Record the values of the Callback URL (ACS) and Issuer fields. Those will be used later.

    View the IdP Initiated SSO Identity Provider

    CORS Settings

    Navigate to Settings → System → CORS.

    Determine the hostname and scheme of the Okta Identity Provider HTTP POST URL. If the URL is https://example.okta.com/app/generic-saml/11111151wmJ3HKZYD5d6/saml2, then the hostname and scheme are https://example.okta.com.

    Add this value to the CORS Allowed origins field. Ensure that the POST method is checked in the Allowed methods field. Save the configuration

    Configure CORS

    Configure the FusionAuth Application Redirect URL

    Navigate to Applications → Your Application → OAuth. Update the Authorized redirect URLs field to include https://local.fusionauth.io/?client_id=CLIENTID where CLIENTID is the value from the Client id field.

    This URL is where a user will end up after authentication and may be any value URL.

    Ensure the Authorization Code grant is enabled.

    Configure the FusionAuth Pied Piper application

    Complete SSO Configuration in Okta

    Return to the Sign-on Options tab in the Okta Admin screen.

    • Set the value of the Assertion Consumer Service URL to the value of the Callback URL (ACS) from the FusionAuth Identity Provider recorded above.

    • Set the value of the Service Provider Entity Id to the value of the Issuer recorded above.

    • Set the Application username format to be Email.

    Configure Okta with the FusionAuth SP information

    Save the Okta application by clicking "Done".

    Scroll to the App Embed Link section and note the Embed Link value. This is the link a user needs to visit to begin the IdP initiated SSO, so you could place it in your application’s navigation, launchpad or elsewhere.

    Finally, click on the Assignments tab and assign the user to the application.

    Assigning a user to the SAML SP application

    Test It Out

    Open an incognito browser window and visit the Embed Link value. Log in with your Okta IdP credentials.

    Logging in with Okta

    When you authenticate successfully, you will eventually land at the URL configured in the application’s Authorized redirect URLs field. The full URL contains an authorization code.

    Since you configured registration for this Identity Provider, if the user did not previously exist in your FusionAuth instance, they will now have an account.

    For a production application, the authorization code would be exchanged by your application for a JWT from FusionAuth.

    Feedback

    How helpful was this page?

    See a problem?

    File an issue in our docs repo

    © 2021 FusionAuth
    Subscribe for developer updates