Okta SSO Manual Setup

Manually configure the RudderStack Okta SSO for your organization.

This guide lists the steps to manually configure and enable Okta SSO for your organization.

RudderStack does not support IdP-initiated authentication. To use Okta SSO for your organization, you need to log in through this link.

Configuring the RudderStack SSO App

  1. Log in to your Okta application as an administrator. Then, go to the Applications page in the dashboard.
  2. Click the Create App Integration button to integrate Okta with RudderStack:
Create App Integration
  1. Select SAML 2.0 sign-in method:
SAML 2.0
  1. Under General Settings, set the App name to RudderStack, as shown. Then, click Next.
RudderStack as app name

SAML settings

Enter the following settings in the Configure SAML section:

Enter the settings
  • Single sign on URL: Set this to https://auth2.rudderstack.com/saml2/idpresponse.
Make sure you also enable the Use this for Recipient URL and Destination URL option under this setting.
  • Audience URI (SP Entity ID): Set this to urn:amazon:cognito:sp:us-east-1_ABZiTjXia.
  • Default RelayState: Leave this field blank.
  • Name ID format: Select Unspecified from the dropdown.
  • Application username: Select Okta username from the dropdown.
  • Update application username on: Select Create and update from the dropdown.

Attribute Statements settings

In the Attribute Statements section, you need to enter the following settings:

Identity provider metadata
NameName format (optional)Default valueComments
EmailUnspecifieduser.emailSet the value corresponding to your organization’s user email.
LastNameUnspecifieduser.lastNameAlthough user.lastName is recommended, you can provide any other value here.
As long as the attributes you set match the Email and LastName fields, your SSO app will work without any issues.

In the next page, select the I’m an Okta customer adding an internal app option and click Finish.

The RudderStack Single Sign-On app is now created and you will be directed to the app’s page.

Enabling SSO

The RudderStack SSO app supports dynamic configuration.

In the Sign On section of the RudderStack SSO app, right click and copy the URL associated with Identity Provider metadata under the View Setup Instructions button, as shown in the below image.

Identity provider metadata

Share this URL with the RudderStack team to enable SSO for your organization.

The Identity Provider metadata URL ends with /metadata.

SCIM configuration steps

You can automatically grant RudderStack access to your users by configuring SCIM provisioning in Okta.

Before setting up the SCIM provisioning, make sure to first generate a personal access token with the Admin role. Otherwise, your SCIM provisioning tasks will fail.
  1. Log in to Okta as an administrator.
  2. In the sidebar, go to Applications > Applications and select your SSO app.
  3. Go to the General tab, click Edit and check the Enable SCIM provisioning option:
Enable SCIM provisioning
  1. A new tab called Provisioning will now be visible in the app settings. Go to Integration, click Edit and enter the following details:
SCIM connector base URLhttps://api.rudderstack.com/scim/v2
Unique identifier field for usersuserName
Supported provisioning actionsCheck the following settings:

  • Push New Users
  • Push Profile Updates
Authentication ModeHTTP Header
SCIM provisioning settings
  1. Under HTTP Header, paste your personal access token with the Admin role.
  2. Click Save. Okta will send a test request to verify the configuration.
  3. Once the verification is complete, you will be able to see two new options, To App and To Okta, in the Settings sidebar:
Settings sidebar
  1. Go to the To App settings and click Edit. Then, enable the following Provisioning to App settings:
App provisioning settings
  1. Scroll down to the attribute mappings section and click Show Unmapped Attributes.
  2. Unmap all attributes one by one by clicking the X icon, except the following mandatory attributes:
    • Display name
    • Email
When Okta sends a request to create a user, it assumes that the update has failed if the response does not contain the details of the mapped attributes. Hence, you must unmap all attributes except Display name and Email.
  1. For Display name and Email, click the edit icon and set the Apply on field to Create and update.
Display name and email configuration
The Value fields for Display name and Email may vary depending on how you have set up your Okta app.
  1. Click Save to finish the configuration.
  2. Go back to your app settings, click the Sign On tab and click Edit.
  3. Under Credentials Details, set Application username format to Email:
Sign on settings
  1. Finally, click Save.
RudderStack currently does not support some SCIM features like importing users or groups, removing users, or snycing passwords. Refer to the Known issues section for more information.

Questions? Contact us by email or on Slack