Configuring Okta as an Identity Provider

Note: Pivotal Platform is now part of VMware Tanzu. In v1.12 and later, Pivotal Single Sign‑On is named Single Sign‑On for VMware Tanzu.

This topic describes how to set up Okta as your identity provider by configuring SAML integration in both Single Sign‑On for VMware Tanzu and Okta.

Overview

To set up Okta as your identity provider:

  1. Set up SAML in Single Sign‑On
  2. Sign in to Okta
  3. Configure the SAML Settings
  4. (Optional) Configure Single Logout
  5. (Optional) Specify Attribute Statements
  6. Download the Metadata

Set up SAML in Single Sign‑On

To set up SAML in Single Sign‑On, follow the steps in Configure SAML Settings.

Sign in to Okta

To sign in to Okta:

  1. Sign in as an Okta admin.

  2. Navigate to your app and click the Sign On tab.

Configure the SAML Settings

To configure the SAML settings:

  1. Under Settings, click Edit, and select SAML 2.0.

    Screenshot of the "Sign On" tab in Okta.
In the "Settings" section a red box is drawn around the "SAML 2.0" box.
Credentials Details are the bottom of the screenshot.
At the right are descriptions of SAML 2.0 and the application username.

  2. Click the General tab.

  3. Under SAML Settings, click Edit and then click Next.

    Screenshot of the "Configure SAML" tab
within the "Edit SAML Integration" section.
The settings are in three sections: "General", "Attribute Statements (Optional)", and "Group Attribute Statements (Optional)".

  4. Enter the AssertionConsumerService Location URL from your downloaded service provider metadata into Single sign on URL.

    For example:

    https://PORTAL-FQDN/saml/SSO/alias/PORTAL-FQDN
    

    Where PORTAL-FQDN is the fully qualified domain name (FQDN) for your login portal.

    Note: The portal FQDN uses the format AUTH-DOMAIN.login.SYSTEM-DOMAIN. You can view the portal FQDN for a plan by logging into the SSO Operator Dashboard, clicking the name of your plan, and selecting Edit Plan.

  5. Enter the FQDN for your login portal into Audience URI (SP Entity ID). This value is available in the downloaded service provider metadata as the entity ID.

  6. Select a Name ID format.

  7. Select an Application username.

(Optional) Configure Single Logout

To configure single logout:

  1. Click Show Advanced Settings.

  2. For Enable Single Logout, select Allow application to initiate single logout.

  3. Enter the SingleLogoutService Location URL from your downloaded service provider metadata into Single Logout URL.

  4. Enter your Auth Domain URL into SP Issuer.

  5. Click Upload Signature Certificate to upload the signature certificate from your downloaded service provider metadata. You must copy the X509Certificate information from the downloaded service provider metadata and reformat it as a valid certificate file to upload.

(Optional) Specify Attribute Statements

To specify attribute statements:

  1. Under Attribute Statements (Optional), specify any attribute statements that you want to map to users in the ID token.

  2. Under Group Attribute Statements (Optional), specify any group attribute statements that you want to map to users in the ID token. This is a group that users belong to within Okta.

Download the Metadata

To download the metadata:

  1. Click Next and then click Finish.

  2. Click Identity Provider metadata to download the metadata, or copy and save the link address of the Identity Provider metadata. You need this Okta metadata for the Configure a Single Sign‑On Service Provider procedure.

    Screenshot of the "Sign On" tab in Okta.
In the "SAML 2.0" box of the "Settings" section, a red box is drawn around the link
"Identity Provider metadata".
Credentials details are the bottom of the screenshot.
At the right are descriptions of SAML 2.0 and the application username.