SAML for Okta

Last modified on September 17, 2024

This guide shows you how to use StrongDM’s Generic SAML identity provider integration with Okta as the identity provider (IdP).

Prerequisites

  • Administrative access to a working Okta account
  • Administrative access to your StrongDM organization

StrongDM Setup

  1. In the StrongDM Admin UI, go to Settings > User Management.
  2. Under Single Sign-on, unlock the settings menu (Click to make changes), and then select Yes. For the Provider, select the SAML option.
    Fill in the Metadata URL and Copy StrongDM Info
    Fill in the Metadata URL and Copy StrongDM Info
  3. Copy the values provided for Entity ID and ACS (Consumer) URL (or leave this page open).

Okta Setup

  1. Log in to your Okta admin console, and under Applications, create a new app integration.
  2. For the Sign-in method, choose “SAML 2.0.”
  3. In the General Settings of the Create SAML Integration wizard, set the App Name to “StrongDM.”
  4. (Optional) Set an App Logo image if desired.
    StrongDM Logo
    StrongDM Logo
  5. (Optional) To allow IdP-initiated logins, leave App visibility unchecked.
  6. Select Next to move to the Configure SAML tab. Copy the value from StrongDM for ACS (Consumer) URL and paste it into the Single sign-on URL field in Okta.
  7. Copy the value from StrongDM for Entity ID and paste it into the Audience URI (SP Entity ID) field in Okta.
  8. Change the Application username to “Email.”
  9. Leave the other fields as they are, scroll down, and select Next.
  10. In the Feedback tab, select “I’m an Okta customer adding an internal app” and click Finish.
  11. Copy the Metadata URL from the settings on the Sign On tab.

Complete StrongDM Setup

  1. Copy the Metadata URL from Okta and paste it into the Metadata URL field in the Admin UI.
  2. (Optional) Click Yes for Allow IDP Initiated Authentication. Be sure that if you are enabling IdP-initiated authentication and that you have left the App visibility option unchecked in the Okta admin console.
  3. (Optional) Click Yes for Allow password login for admins to prevent accidentally locking out your admins. We recommend that you enable this option at least until your SSO is configured and tested.
  4. Click Save.
Top