SAML v2 IdP Initiated With Okta

    Configure SAML v2 IdP Initiated SSO With Okta

    This page will guide you in configuring a SAMLv2 IdP Initiated Identity Provider with Okta as the initiating IdP. You will be able to visit an Okta provided link, authenticate, and then be logged into FusionAuth.

    This document assumes you have an admin account with Okta and a valid FusionAuth paid edition license.

    Create and Partially Configure the Okta SSO Application

    You will want to set up this application as an admin. Okta allows users with various permissions. Later, you will create a user that can log into the newly created application, Pied Piper.

    Navigate to the Okta admin screen. Using the left "hamburger" menu, click on Applications Header > Applications. From here, click Create App Integration. Select the SAML option and hit next.

    Setting up a SAMLv2 application in Okta

    Add an App name describing the application. Configure any other General Settings as needed (including adding your award winning logo).

    General settings tab when creating a SAMLv2 application in Okta

    Click "Next". You will arrive at the Configure SAML section.

    Settings tab when creating a SAMLv2 application in Okta

    Please complete the Single sign on URL and Audience URI (SP Entity ID) with placeholder data. We will return to these fields in a moment (with real data from FusionAuth). Click next to proceed.

    The final screen is related to marketing/support. This screen may or may not be present. Click the Finish button.

    Feedback Marketing Step

    Now, under the Sign On tab, scroll down until you see a button called "View SAML setup instructions". This will open a new window/tab. You will need the values displayed to complete the rest of this tutorial.

    View SAML Setup Instructions

    Record the Identity Provider Single Sign-On URL and Identity Provider Issuer values. The latter is a string such as http://www.okta.com/exkq14ymac31Bx7895d6.

    Download the "X.509 Certificate" too, then close the instructions tab.

    Details around certificate and SSO URL and issuer

    Add the Okta Public Certificate to FusionAuth

    Log in to the FusionAuth administrative user interface and navigate to Settings → Key Master.

    Import the Okta provided certificate you just downloaded.

    Adding the Okta certificate to Key Master

    Add the SAMLv2 IdP Initiated Identity Provider

    Navigate to Settings → Identity Providers. Add a SAMLv2 IdP Initiated Provider.

    • Configure the Name with a descriptive value.

    • Set the Issuer value to the Identity Provider Issuer value from Okta.

    • Set the Verification key to the public certificate you just imported.

    Enable this Identity Provider for any appropriate FusionAuth applications. For this example, Pied Piper allows the use of this Identity Provider.

    Any users who authenticate with Okta will be registered for this application because of the Create registrations setting.

    All other options may be left with default values. Save the configuration.

    Adding the IdP Initiated SSO Identity Provider

    View the Identity Provider in FusionAuth

    View the created Identity Provider and navigate to the SAML v2 Integration details section.

    Record the values of the Callback URL (ACS) and Issuer fields. Those will be used later.

    View the IdP Initiated SSO Identity Provider

    CORS Settings

    Navigate to Settings → System → CORS.

    Determine the hostname and scheme of the Okta Identity Provider Single Sign-On URL. If the URL is https://trial-6089629.okta.com/app/trial-6089629_test_1/exk1mn2r8kVgtAv6q697/sso/saml then the hostname and scheme are https://trial-6089629.okta.com.

    If you run into CORS configuration challenges, review the System > Event Log in the FusionAuth admin UI. This will tell you exactly what hostname and schemes must be added to the CORS allow lists.

    Add this value to the CORS Allowed origins field. Ensure that the POST method is checked in the Allowed methods field. Save the configuration.

    Additionally, you might have to add another entry with a trailing backslash, such as https://trial-6089629.okta.com/.

    Configure CORS

    Configure the FusionAuth Application Redirect URL

    Navigate to Applications → Your Application → OAuth. Update the Authorized redirect URLs field to include https://local.fusionauth.io/?client_id={clientId} where {clientId} is the value from the Client Id field.

    This URL is where a user will end up after authentication and may be any value URL.

    Ensure the Authorization Code grant is enabled.

    Configure the FusionAuth Pied Piper application

    Complete SSO Configuration in Okta

    Return to the Configure SAML Tab. This can be found by navigating as follows from the App homepage: General > SAML Settings > Edit Button > General Settings > Next Button > Configure SAML tab in the Okta Admin screen.

    • Set the value of the Single sign on URL to the value of the Callback URL (ACS) from the FusionAuth Identity Provider recorded above.

    • Set the value of the Audience URI (SP Entity ID) to the value of the Issuer recorded above.

    • Optionally set the value of Default RelayState if you want to provide a specific redirect URI. If this value is omitted, the first Authorized redirect URI found in the FusionAuth Application OAuth configuration will be used. This option is supported in FusionAuth version greater than or equal to 1.41.0. In prior versions, append redirect_uri= to the value specified Single sign on URL to control the final redirect URI.

    • Set the Application username to be Email.

    Configure Okta with the FusionAuth SP information

    Save the Okta application by clicking "Next" until complete.

    Navigate to the General tab and scroll to the App Embed Link section and note the Embed Link value. This is the link a user needs to visit to begin the IdP initiated SSO, so you could place it in your application’s navigation, launchpad, or elsewhere.

    Finally, click on the Assignments tab and assign the user to the application. First, select the user by clicking the Assign dropdown. Then by clicking Assign to People, and then finally selecting the Assign button for the user you would like to use.

    Pick a user to assign to application step one

    Then confirm the user should have access.

    Assigning a user to the SAML SP application step two

    Test It Out

    Open an incognito browser window and visit the Embed Link value. This value can be found at the bottom of the General tab of your Okta Application configuration, in the App Embed Link section. Log in with your Okta IdP credentials.

    Logging in with Okta

    When you authenticate successfully, you will eventually land at the URL configured in the application’s Authorized redirect URLs field. The full URL contains an authorization code.

    Since you configured registration for this Identity Provider, if the user did not previously exist in your FusionAuth instance, they will now have an account.

    For a production application, the next step would involve exchanging the authorization code by your application for a JWT from FusionAuth.

    Feedback

    How helpful was this page?

    See a problem?

    File an issue in our docs repo

    Have a question or comment to share?

    Visit the FusionAuth community forum.