Configuring SAML Okta

Creating the Application Integration

  1. Log into your Okta instance using an administrative account.

  2. From the left-hand menu, click Applications > Applications.

  3. Select Create App Integration:

  4. In the Create a new app integration pop-up, select SAML 2.0, and click Next:

  5. The Create SAML Integration page loads.

  6. In the General Settings tab, type the preferred name (for example, SecretServer) in the App name field, and click Next.

    The App name field is the only required input on this screen.

  7. In the Configure SAML tab, in the A SAML Settings section, under General fill in the following mandatory fields:

    • Single sign-on URL: your [SecretServerInstanceName] URL.

      For example: https://[YourSecretServerInstance.com]/saml/assertionconsumerservice.aspx

    • Make sure the Use this for Recipient URL and Destination URL checkbox is selected.

    • Audience URI (SP Entity ID): SecretServerServiceProvider.

    • Default RelayState: leave the field blank.

    • Name ID format: select Unspecified from the dropdown list.

    • Application username: select Okta username from the dropdown list.

  8. Click Show Advanced Settings . A plethora of settings will load.

  9. Look for the Signature Certificate option:

  10. Click Browse files... to locate your public key .cer file.

    The file corresponds to the .pfx file uploaded to your Secret Server instance. See Configuring SAML Single Sign-on for details on configuring SAML SSO and uploading Certificates.

  11. Once chosen, the .cer file displays in the Signature Certificate field.

  12. Select the Enable Single Logout checkbox below the Signature Certificate field:

  13. Configure the Single Logout (SLO) Settings as follows:

    • Single Logout URL: your [SecretServerInstanceName] followed by the URL string: /saml/sloservice.aspx.

      Example: https://[YourSecretServerInstance.com]/saml/sloservice.aspx

    • SP Issuer: SecretServerServiceProvider

  14. Click Next.

  15. (Optional) In the Feedback page, provide feedback.

  16. Select Finish. The "SecretServer" integration has now been created.

Downloading the IDP Metadata File

  1. In your Okta instance access Applications > Applications, and click on the Active option under Status.

  2. Select the SAML app you previously created "SecretServer". The app opens on the Assignments tab.

  3. Select the Sign On tab.

  4. Go to the SAML Signing Certificates section and look for the certificate marked Active in the status column.

  5. Select the Actions dropdown menu for that certificate and click View IdP Metadata:

  6. Once the IdP metadata page loads displaying the XML file, right-click the page and select Save As or Save Page As (depending on the browser).

  7. Save the XML file as metadata.xml. You will need this file to create the new SAML Identity Provider in Secret Server.

Configuring SAML in Secret Server for Okta

  1. Log into Secret Server.

  2. Access Settings > Configuration > SAML > Identify Providers.

  3. Select the Create New Identity Provider button.

  4. In the Identity Provider popup, select the Import IDP from XML Metadata option from the dropdown. The Import file option appears.

  5. Click the Change link to import the Okta metadata XML file you saved earlier.

  6. Click OK.

Verifying the Integration

Ensure that the integration works by testing the SAML login process. Users should be able to log into Secret Server using their Okta credentials without being prompted for additional login information. This setup will allow you to use Okta as the Identity Provider for SAML-based single sign-on in Secret Server, streamlining user authentication and enhancing security.