Configuring SAML Okta

Getting Started with Okta for SAML

An Okta administrator can create new apps to set up the integration:

Log into your Okta instance using an administrative account.
Go to the App Home page ([Instance Name]/app/UserHome), and click Admin.
From the left menu, click Applications > Applications:
Select Create App Integration:
In the Create a New Application pop-up window, select SAML 2.0, and click Next:
In the General Settings tab, type the preferred name (for example, SecretServer) in the App name field, and click Next. The App name field is the only required input on this screen.

To complete this section, use either Firefox or Internet Explorer browser. DO NOT use Chrome.

Log into Okta, go to the My Apps page, and click Admin:
Go to the Okta application, select Applications and then the Applications sub-topic:
Under the General tab, click Edit:
Once the Edit SAML Integration page appears select Next to proceed:

.
Once the Configure SAML tab loads, click Show Advanced Settings at the bottom of the screen:
The Signature Certificate page appears and the public key .cer file that corresponds to the .pfx is uploaded to your Secret Server Service Provider (see Setting Up Secret Server for details on configuring SAML SSO and uploading Certificates).
Click Browse files… and select your certificate’s .cer file:
Once completed, the .cer file will display under the Signature certificate field:
Select the Enable Single Logout checkbox below the Signature Certificate field, as shown above.
Configure the Single Logout (SLO) Settings as follows:
- Single Logout URL: your [SecretServerInstanceName] followed by the URL string: /saml/sloservice.aspx.
  
  Example: https://[YourSecretServerInstance.com]/saml/sloservice.aspx
- SP Issuer: SecretServerServiceProvider
  
  The Certificate File Name should change if the upload is successful. If the upload is unsuccessful, ensure you are using either Firefox or MS Edge browser, not Chrome.
Click Next and Finish.

To configure Okta for SAML to integrate with Secret Server, follow the steps below.

Set up Secret Server as a new application in Okta.
Add Okta details to the Secret Server SAML settings by configuring as follows:
- Set up Single Logout
- Add Users
Verify that the integration works.

Secret Serverneeds to be set up as a new application in Okta.

On the Configure SAML tab, type the required information according to your organizational environment. See the following for what required descriptions and examples will entail:
- Type the Single sign on URL for your secret-server instance: https://[YourSecretServerInstance.com]/saml/assertionconsumerservice.aspx
- Make sure the Use this for Recipient URL and Destination URL is selected.
- Deselect Allow this app to request other SSO URLs if Okta is the only IdP.
In the Audience URI (SP Entity ID) field, do the following:
- Type the Service Provider configured in secret-server (for example: SecretServerServiceProvider)
- Leave the Default RelayState field blank.
- For the Name ID format field, select Unspecified from the dropdown list.
- For the Application username field, select Okta username
Click Next.
On the Feedback window, select I’m an Okta customer adding an internal app.

Go to Applications and click on the required SAML app.
Select the Sign On tab.
The URL for the metadata is located on the Sign On tab. To access the active certificate, go to the SAML Signing Certificates section and look for the type marked with the Active status. Select the Actions dropdown menu and click View IdP Metadata:
After the Metadata page loads right-click on the page and select Save As or Save Page As (depending on the browser). By default, in Edge you will select Save As, and the file will download as an XML file. In Firefox, alternatively, click Save Page As and select the All files option.