How to Configure SAML 2.0 for OneTrust

Contents

• Supported Features
• Configuration Steps
• Notes

---

Supported Features

The Okta/OneTrust SAML integration currently supports the following features:

• IdP-initiated SSO
• SP-initiated SSO
• JIT (Just In Time) Provisioning

For more information on the listed features, visit the Okta Glossary.

---

Configuration Steps

1. Login to your OneTrust account.

2. Navigate to Settings > Single Sign-on, then click Yes to enable SSO:

   

3. Enter the following (see screenshot at end of step for reference):

   • Service Provider Configuration section:

     • Response Binding Type: Select Post.

   • Identity Provider Configuration section:

     • Name: Copy and paste the following:

       Sign into the Okta Admin Dashboard to generate this variable.

     • SignOn Url: Copy and paste the following:

       Sign in to the Okta Admin app to have this variable generated for you.

     • Request Binding Type: Select Redirect.

     • Certificate: Download, then click Upload to upload the following certificate:

       Sign into the Okta Admin Dashboard to generate this variable.

   • Hosts section:

     • Click Add Host and enter the hosts used within your environment.

   • Attributes Mapping section:

     • Specify the Attribute Key to the following attributes:

     Attribute	Attribute Key	Notes
     FirstName	FirstName	Required
     LastName	LastName	Required
     Email	Email	Required
     Role	Role	Optional
     Organization	Organization	Optional

     Note: For instructions how to add this attribute, see here.

   • Click Save Settings.

   

4. Done!

---

Notes

The following SAML attributes are supported:

Name	Value
FirstName	user.firstName
LastName	user.lastName
Email	user.email
Organization	user.organization
Role	appuser.role

Here is an example describing how to add and use Role attribute:

By default Okta only sends the following four SAML attributes in a SAML assertion: FirstName, LastName, Email and Organization. To send the custom attribute Role, follow the steps below:

1. In Okta, navigate to Directory > Profile Editor:

   

2. Search for the OneTrust app, then click Profile:

   

3. Click Add Attribute, then enter the following information:

   • Display Name: Enter Role.

   • Variable Name: Enter role.

   • Click Save.

   

4. Now, when you assign users to the OneTrust app, you can specify the Role for them:

   

5. Done!

SP-initiated SSO

1. Go to: https://app.onetrust.com/auth/login.

2. Type your email address, then click Continue:

---