SAML2 and Okta

We share advice on using Okta as an industry-standard SAML2 Identity Provider.

For all true support questions regarding Okta – or any non-Intercax provider of SAML2 service – please contact the vendor directly through their formal Support programs.

Okta “Applications”

In Okta, each integration between a particular Service Provider (like Syndeia) and Okta as the IdP is configured by administering within Okta the creation of a new “Okta Application”, an application that offers SAML2 support.

Therefore, each time you deploy Syndeia to a particular server, you will create a new separate “Okta Application” just for that Syndeia server - even if you already set up SAML2 integration with Okta for other Syndeia servers.

Okta is its own Directory Service of Users

In addition to being able to act as a proxy between existing, often legacy, directory services such as OpenLDAP services and Microsoft ActiveDirectory services, Okta can be and often does act as its own Directory Service of Users and may even be the primary, definitive directory of user accounts.

When Okta is the Directory Service, configuration of Okta as the SAML2 IdP is trivial because there is no need to configure integration with an external IdP.

Okta User Profile Attributes

Make sure that the User Profile in the Okta Universal Directory includes populated attributes for all of:

  • First Name

  • Last Name

  • Email Address

At least those have to be passed along to the Syndeia SP in the SAMLResponse as Attributes. Syndeia needs names to display for the user and an email address to uniquely identify the user even as the user authenticates with numerous services.

Okta’s Guide to Configuring Okta as a SAML IdP

Visit https://help.okta.com/oie/en-us/Content/Topics/Apps/Apps_App_Integration_Wizard_SAML.htm?cshid=csh-attribute-statements-saml#SAMLAttributeStatements to learn what Okta advises for configuring its service for use as a SAML2 IdP.