The following manual configuration creates a SAML SSO configuration for your Enterprise organization.
-
Owneroradminrole in an Enterprise organization -
Service provider certificate and private key that you create
This configuration supports the following:
-
Service Provider initiated SSO
-
Single Log Out [optional]
Before configuring SSO, you need to assign a namespace and create a Service Provider certificate and private key. These important steps provide information you need to enter later.
Create your namespace:
-
Go to Organization > SSO.
-
Under Namespace, enter the namespace you want for your organization. For example,
acme_corp. Your organization members enter this namespace when they log in via SSO. -
Under SSO type, select SAML 2.0.
Convert your Make Service Provider certificate into a .pem file:
-
Find the certificate under Service Provider Certificate.
-
Highlight and copy all of the certificate.
-
Paste the certificate into a plain text editor.
-
Windows: use Notepad.
-
Mac OS: use TextEdit.
-
-
Save the file as a
.pemfile![[Caution]](../css/image/caution.png)
Caution You may need to select All files ( *.* ) or rename the file after saving to change the extension to
.pem.
This creates one .pem file. Locate the .pem file and have it ready to upload into Okta later.
-
Log in to Okta and go to Admin > Applications > Applications.
-
Click Create app integration and select SAML 2.0.
-
Name your app and upload your icon.
-
Click Next.
-
Configure the following SAML settings:
-
Click Show advanced settings and enter the following:
Response
Select Signed
Assertion signature
Select Signed
Signature algorithm
Select RSA-SHA256
Digest algorithm
Select SHA256
Assertion encryption
Select Unencrypted
![[Note]](../css/image/note.png)
Note Optional
If you want to encrypt assertions, you can select Encrypted and enter the following:
Encryption algorithm
AES256-CBC
Key transport algorithm
RSA-OAEP
Encryption certificate
Upload the
.pemfile you created earlier.Signature certificate
Upload a
.pemfile of the Service Provider Certificate. This must be the same certificate as the Service Provider Certificate field of your Make SSO configuration tab.Enable Single Logout
Leave unchecked
Signed requests
Optional
Other requestable SSO URLs
Optional
Assertion inline hook
Select None (disable)
Authentication context class
Select PasswordProtectedTransport
Honor force authentication
Select Yes
SAML issuer ID
http://www.okta.com/${org.externalKey}
-
Enter the following attributes and click Next.
Name
Name format
Value
profileFirstName
Unspecified
user.firstName
profileLastName
Unspecified
user.lastName
email
Unspecified
user.email
-
Select the following options and click Finish.
Are you a customer or partner?
Select I'm an Okta customer adding an internal app
App type
Select This is an internal app that we have created
To locate your IdP login URL and certificate:
-
Go to Admin > Applications > Applications and select your SAML SSO app. to access the necessary information.
-
Go to the Sign on tab and click View SAML setup instructions.
-
Go to Organization > SSO.
-
Enter the following information from Okta into the IdP login URL and Identity provider certificate fields.
Field on Okta
Field on Admin > System settings
Identity provider single sign on URL
IdP login URL
X.509 certificate
Identity provider certificate
-
Enter the following in the Login IML resolve field:
{"email":"{{get(user.attributes.email, 1)}}","name":"{{get(user.attributes.profileFirstName, 1)}} {{get(user.attributes.profileLastName, 1)}}","id":"{{user.name_id}}"} -
Select the following settings:
Allow unencrypted assertions
Yes
Allow unsigned responses
No
Sign requests
Yes
-
Click Save.
-
Go to {{Make}}'s login page.
-
Click Sign in with SSO.
-
Enter the namespace you chose for your organization.
-
Log in using your Okta credentials and consent to {{Make}}'s access to your user data.