LATEST VERSION: 1.3 - CHANGELOG
Single Sign-On v1.3

Configure Okta as an Identity Provider

This topic describes how to set up Okta as your identity provider by configuring SAML integration in both Pivotal Cloud Foundry (PCF) and Okta.

Set up SAML in PCF

  1. Log into the Single Sign-On (SSO) dashboard at https://p-identity.YOUR-SYSTEM-DOMAIN as a Plan Administrator.
  2. Select your plan and click Manage Identity Providers on the dropdown menu.

    Okta manage id providers

  3. Click Configure SAML Service Provider.

    Okta config saml service provider

  4. (Optional) Select Perform signed authentication requests to enforce SSO private key signature and identity provider validation.

    Saml auth checkbox

  5. (Optional) Select Require signed assertions to validate the origin of signed responses.

  6. Click Download Metadata to download the service provider metadata.

  7. Click Save.

Set up SAML in Okta

  1. Sign in as an Okta administrator.

  2. Navigate to your application, then click the Sign On tab.

  3. Under Settings, click Edit, and select SAML 2.0.

    Saml radio button

  4. Click the General tab.

  5. Under SAML Settings, click the Edit button followed by the Next button to configure SAML.

    Okta saml config

  6. In the SAML Settings section, perform the following steps:

    1. Enter the AssertionConsumerService Location URL from your downloaded service provider metadata into Single sign on URL. For example, https://AUTH-DOMAIN/saml/SSO/alias/AUTH-DOMAIN.
    2. Enter your Auth Domain URL into Audience URI (SP Entity ID). You can view the Auth Domain for a plan by logging into the SSO dashboard, clicking the name of your plan, and selecting Edit Plan. For example, https://AUTH-DOMAIN.login.SYSTEM-DOMAIN.
    3. Select a Name ID format.
    4. Select an Application username.
  7. (Optional) To configure single logout, perform the following steps:

    1. Click Show Advanced Settings.
    2. For Enable Single Logout, select Allow application to initiate single logout.
    3. Enter the SingleLogoutService Location URL from your downloaded service provider metadata into Single Logout URL.
    4. Enter your Auth Domain URL into SP Issuer.
    5. Click Upload Signature Certificate to upload the signature certificate from your downloaded service provider metadata.
  8. (Optional) Under Attribute Statements (Optional), specify any attribute statements that you want to map to users in the ID token.

  9. (Optional) Under Group Attribute Statements (Optional), specify any group attribute statements that you want to map to users in the ID token. This is a group that users are in within Okta.

  10. Click the Next button followed by the Finish button.

  11. Click Identity Provider metadata to download the metadata, or copy and save the link address of the Identity Provider metadata.

    Id provider metadata

Create a pull request or raise an issue on the source for this page in GitHub