Manually configure the RudderStack Okta SSO for your organization.
4 minute read
This guide lists the steps to manually configure and enable Okta SSO for your organization.
RudderStack does not support IdP-initiated authentication. To use Okta SSO for your organization, you need to log in through this link.
Configuring the RudderStack SSO App
Log in to your Okta application as an administrator. Then, go to the Applications page in the dashboard.
Click the Create App Integration button to integrate Okta with RudderStack:
Select SAML 2.0 sign-in method:
Under General Settings, set the App name to RudderStack, as shown. Then, click Next.
SAML settings
Enter the following settings in the Configure SAML section:
Single sign on URL: Set this to https://auth2.rudderstack.com/saml2/idpresponse.
Make sure you also enable the Use this for Recipient URL and Destination URL option under this setting.
Audience URI (SP Entity ID): Set this to urn:amazon:cognito:sp:us-east-1_ABZiTjXia.
Default RelayState: Leave this field blank.
Name ID format: Select Unspecified from the dropdown.
Application username: Select Okta username from the dropdown.
Update application username on: Select Create and update from the dropdown.
Attribute Statements settings
In the Attribute Statements section, you need to enter the following settings:
Name
Name format (optional)
Default value
Comments
Email
Unspecified
user.email
Set the value corresponding to your organization’s user email.
LastName
Unspecified
user.lastName
Although user.lastName is recommended, you can provide any other value here.
As long as the attributes you set match the Email and LastName fields, your SSO app will work without any issues.
In the next page, select the I’m an Okta customer adding an internal app option and click Finish.
The RudderStack Single Sign-On app is now created and you will be directed to the app’s page.
Enabling SSO
The RudderStack SSO app supports dynamic configuration.
In the Sign On section of the RudderStack SSO app, right click and copy the URL associated with Identity Provider metadata under the View Setup Instructions button, as shown in the below image.
Share this URL with the RudderStack team to enable SSO for your organization.
The Identity Provider metadata URL ends with /metadata.
SCIM configuration steps
You can automatically grant RudderStack access to your users by configuring SCIM provisioning in Okta.
Before setting up the SCIM provisioning, make sure to first generate a personal access token with the Admin role. Otherwise, your SCIM provisioning tasks will fail.
Log in to Okta as an administrator.
In the sidebar, go to Applications > Applications and select your SSO app.
Go to the General tab, click Edit and check the Enable SCIM provisioning option:
A new tab called Provisioning will now be visible in the app settings. Go to Integration, click Edit and enter the following details:
Click Save. Okta will send a test request to verify the configuration.
Once the verification is complete, you will be able to see two new options, To App and To Okta, in the Settings sidebar:
Go to the To App settings and click Edit. Then, enable the following Provisioning to App settings:
Scroll down to the attribute mappings section and click Show Unmapped Attributes.
Unmap all attributes one by one by clicking the X icon, except the following mandatory attributes:
Display name
Email
When Okta sends a request to create a user, it assumes that the update has failed if the response does not contain the details of the mapped attributes. Hence, you must unmap all attributes except Display name and Email.
For Display name and Email, click the edit icon and set the Apply on field to Create and update.
The Value fields for Display name and Email may vary depending on how you have set up your Okta app.
Click Save to finish the configuration.
Go back to your app settings, click the Sign On tab and click Edit.
Under Credentials Details, set Application username format to Email:
Finally, click Save.
RudderStack currently does not support some SCIM features like importing users or groups, removing users, or snycing passwords. Refer to the Known issues section for more information.
This site uses cookies to improve your experience while you navigate through the website. Out of
these
cookies, the cookies that are categorized as necessary are stored on your browser as they are as
essential
for the working of basic functionalities of the website. We also use third-party cookies that
help
us
analyze and understand how you use this website. These cookies will be stored in your browser
only
with
your
consent. You also have the option to opt-out of these cookies. But opting out of some of these
cookies
may
have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This
category only includes cookies that ensures basic functionalities and security
features of the website. These cookies do not store any personal information.
This site uses cookies to improve your experience. If you want to
learn more about cookies and why we use them, visit our cookie
policy. We'll assume you're ok with this, but you can opt-out if you wish Cookie Settings.
