Okta

How to Configure SAML 2.0 for Okta Org2Org Application

Contents


Supported Features

The Okta/Okta Org2Org SAML integration currently supports the following features:

For more information on the listed features, visit the Okta Glossary.


Overview

The Org2Org connector application is used to push/match users from one Okta organization to another. By configuring this application, users will be authenticated via SAML from a Spoke (source) Okta org into a Hub (target) Okta org. The Org2Org application was specifically designed for a Hub/Spoke configuration.

Note: The Org2Org application needs to be set up in your Spoke (source) org. These instructions assume that you are viewing this configuration guide from an Org2Org SAML Application added in your Spoke (source) org.


Assumptions

This setup assumes that you are adding this Org2Org SAML Application to your Okta source (Spoke) organization.

Configuration Steps

Configuring the Hub/Target Org (Inbound SAML)

Note: Any incoming SAML assertion should include the required attributes during user create and user update.

  1. Log into your Hub (target) Okta org, and select the Admin button.

  2. Navigate to Security > Identity Providers, then click Add Identity Provider to create a new inbound SAML endpoint for the spoke/source affiliate.

    Note: All inbound SAML configurations will be created using the spoke/source affiliates name.

    org_new1.png

    orgƒone_new2.png

  3. Under General Settings:

    • Name: Enter the Spoke (source) name.

  4. Under Authentication Settings:

    • IdP Username: Select from the drop down menu. This field specifies how to construct the subject's username from the SAML assertion using an Okta Expression Language transform of attributes defined in the IdP User Profile.

    • Filter Username: Optional regular expression pattern used to filter transformed usernames to prevent the IdP from authenticating unintended or privileged users.

    • Match against: Select your preferred option from the dropdown menu. This field specifies what attribute(s) of existing users in Okta are compared to the transformed username to determine whether the authentication response is for a new or existing user. Choose the user attribute to match against the transformed username.

    • If no match is found: Select your preferred option. If Create new user (JIT) is selected, a user's profile will be created in the target org if the user does not exist in the target org. This field specifies the action for authentication responses that do not match an existing user in the Okta organization.

  5. Under JIT Settings:

    • Profile Master: Select your preferred option. This field determines if the IdP should act as a source of truth for user profile attributes. The IdP must be prioritized with other Profile Masters if the user is assigned to additional apps or directories that are also Profile Masters. See Profile Mastering documentation for more information.

      Note: If the Org2Org application is configured to update user profiles and you set the IDP as a profile master, the user updates will cause provisioning errors. Our recommendation in this scenario is to have this option deselected.

    • Group Assignments: Select your preferred option. This field specifies the behavior of group assignments during provisioning.

  6. Under SAML Protocol Settings:

    • IdP Issuer URI: Copy and paste the following:

      Sign into the Okta admin app to have this variable generated for you.

    • IdP Single Sign On URL: Copy and paste the following:

      Sign in to the Okta Admin app to generate this variable.

    • IdP Signature Certificate: Download and save the following as okta.crt, then upload the X509 Certificate (below):

      Sign into the Okta admin app to have this variable generated for you.

  7. Click Add Identity Provider/Save.

  8. Once you save, you are returned to the Hub's (target's) main Identity Providers page.

    • Locate the Identity Provider you just added. Click the arrow to expand the details for that Identity Provider:

      org2org_1.png

    • Make a copy the values for Assertion Consumer Service and Audience URI:

      org2org_2.png

    • Go back to your Spoke (source) org. In the Org2Org application you are configuring, paste the values you copied in the corresponding fields under the Sign On tab (Hub ACS URL, Audience URI).

    • Copy the value for Audience URI and paste it in the Audience URI field in your spoke (source) Org2Org Application setup under the Sign On tab:

    • Click Save:

    org_new3.png

  9. Done!

Configuring Application for Hub/Spoke

The following instructions enable users in the Spoke (source) org(s) to login to an application that's managed and provisioned by a single Hub (target) org.

  1. Follow standard Okta configuration methods for setting up the application up in the Hub (target) org.
  2. Once configured, locate the App Embedded link under the General tab of the application. This will become the Default Relay State of the Spoke (source) bookmark application. See the example below for detailed steps.

Example

The following example will walk you through the exact steps to perform, using Google Apps as an example.

Note: Ensure that the application works correctly in the Hub (target) (Hint: You can connect to the application successfully) before configuring the Spoke (source).

  1. In the Hub (target) org, configure the application that you want to share with the Spoke (source) org. For this example, we used Google Apps with SAML sign on mode.

    org2org_new4.png

  2. Log into your Spoke (source) org, and go to the Admin console. Click on Add Application, then add Bookmark App.

  3. Type in an Application label (Hint: Name of the application you are creating - Google Apps in case of our example).

  4. You will need 3 things to construct the URL, as follows:

    1. Copy and paste the IdP Single Sign On URL (obtained from Step 6 above under the Configuring the Hub/target Org (Inbound SAML) section) to the URL field.

    2. Still in the URL field, add the following at the end of the value from the previous step:

      ?RelayState=

    3. This will be followed by the Embedded link of the application in the Hub (target). This value is found under the General tab of the application you want to connect to in the Hub (target) org. In this example, since we want to connect to Google Apps, as an admin, open the Google Apps application you added in your Hub (target) org. Under the General tab, scroll down until you see the App Embed Link section. Copy the value from the Okta Org Admin URL field and add this to your Bookmark URL after the string you added from the previous step.

    4. The value for your Bookmark URL should look similar to the example below:

      http://sourceorg.okta.com/app/okta_org2org/exkidkmZXAoxbgwz20g3/sso/saml?RelayState=http://huborg.okta.com/home/google/0oaiqwYT8RpdS8I6D0g3/26

      org_new4.png

  5. Done!

    Now users can seamlessly log in to Google Apps from the Spoke (source) org even though Google Apps is configured in the Hub (Target) org.


Notes

The following SAML attributes are supported: