Okta SSO Manual Setup

Manually configure the RudderStack Okta SSO for your organization.
Available Plans
  • enterprise

This guide lists the steps to manually configure and enable Okta SSO for your organization.

info

Note that:

  • RudderStack supports only the SAML 2.0 protocol for SSO.
  • RudderStack does not support IdP-initiated authentication. To use Okta SSO for your organization, you need to log in through this link.

Configuring the RudderStack SSO App

  1. Log in to your Okta application as an administrator. Then, go to the Applications page in the dashboard.
  2. Click the Create App Integration button to integrate Okta with RudderStack:
Create App Integration
  1. Select SAML 2.0 sign-in method:
SAML 2.0
  1. Under General Settings, set the App name to RudderStack, as shown. Then, click Next.
RudderStack as app name

SAML settings

Enter the following settings in the Configure SAML section:

Enter the settings
  • Single sign on URL: Set this to https://auth2.rudderstack.com/saml2/idpresponse.
info
Make sure you also enable the Use this for Recipient URL and Destination URL option under this setting.
  • Audience URI (SP Entity ID): Set this to urn:amazon:cognito:sp:us-east-1_ABZiTjXia.
  • Default RelayState: Leave this field blank.
  • Name ID format: Select Unspecified from the dropdown, which defaults to email.
  • Application username: Select Okta username from the dropdown.
  • Update application username on: Select Create and update from the dropdown.

Attribute Statements settings

In the Attribute Statements section, you need to enter the following settings:

Identity provider metadata
NameName format (optional)Default valueComments
EmailUnspecifieduser.emailSet the value corresponding to your organization’s user email.
LastNameUnspecifieduser.lastNameAlthough user.lastName is recommended, you can provide any other value here.
info
As long as the attributes you set match the Email and LastName fields, your SSO app will work without any issues.

In the next page, select the I’m an Okta customer adding an internal app option and click Finish.

The RudderStack Single Sign-On app is now created and you will be directed to the app’s page.

Enabling SSO

The RudderStack SSO app supports dynamic configuration.

In the Sign On section of the RudderStack SSO app, right click and copy the URL associated with Identity Provider metadata under the View Setup Instructions button, as shown in the below image.

Identity provider metadata

Share this URL with the RudderStack team to enable SSO for your organization.

info
The Identity Provider metadata URL ends with /metadata.

SCIM configuration steps

warning

Before setting up SCIM provisioning, make sure to first generate an organization-level service access token in the RudderStack workspace for which you want to enable SCIM.

Otherwise, your SCIM provisioning tasks will fail.

You can automatically grant RudderStack access to your users by configuring SCIM provisioning in Okta.

  1. Log in to Okta as an administrator.
  2. In the sidebar, go to Applications > Applications and select your SSO app.
  3. Go to the General tab, click Edit and check the Enable SCIM provisioning option:
Enable SCIM provisioning
  1. A new tab called Provisioning will now be visible in the app settings. Go to Integration, click Edit and enter the following details:
SettingValue
SCIM connector base URLhttps://api.rudderstack.com/scim/v2
Unique identifier field for usersuserName
Supported provisioning actionsCheck the following settings:

  • Push New Users
  • Push Profile Updates
Authentication ModeHTTP Header
SCIM provisioning settings
  1. Under HTTP Header, paste your service access token obtained above.
  2. Click Save. Okta will send a test request to verify the configuration.
  3. Once the verification is complete, you will be able to see two new options, To App and To Okta, in the Settings sidebar:
Settings sidebar
  1. Go to the To App settings and click Edit. Then, enable the following Provisioning to App settings:
App provisioning settings
  1. Scroll down to the attribute mappings section and click Show Unmapped Attributes.
  2. Unmap all attributes one by one by clicking the X icon, except the following mandatory attributes:
    • Display name
    • Email
info
When Okta sends a request to create a user, it assumes that the update has failed if the response does not contain the details of the mapped attributes. Hence, you must unmap all attributes except Display name and Email.
  1. For Display name and Email, click the edit icon and set the Apply on field to Create and update.
Display name and email configuration
info
The Value fields for Display name and Email may vary depending on how you have set up your Okta app.
  1. Click Save to finish the configuration.
  2. Go back to your app settings, click the Sign On tab and click Edit.
  3. Under Credentials Details, set Application username format to Email:
Sign on settings
  1. Finally, click Save.
info
RudderStack currently does not support some SCIM features like importing users or groups, removing users, or snycing passwords. Refer to the Known issues section for more information.

Debugging

There are times when an SSO login might fail for some users due to some reason. In such cases, the RudderStack team requires a HAR (HTTP Archive) file to inspect the requests and identify any SSO-related issues.

info
A HAR file is a log of exported network requests from the user’s browser. See the HAR Analyzer guide for steps on generating this file depending on your browser.

Once you generate the HAR file, share it with the RudderStack team to troubleshoot the issue.

warning

Note the following before capturing your HAR file:

  • Start from https://app.rudderstack.com/sso with a clean session, preferably in incognito mode of your browser.
  • Complete the SSO flow until the step where you face an error.
  • Your HAR file might contain sensitive data - make sure to redact it using a text editor before sharing it with the team.

The following sections contain solutions for some common errors you might encounter while setting up SSO:

Invalid samlResponse or relayState from identity provider

SSO errors

The above error indicates you tried the IdP-initiated authentication flow. As stated above, this integration supports only Service Provider (SP)-initiated SSO flow.

RudderStack recommends initiating the SSO authentication by following all the above SSO configuration steps correctly.

As an alternative, you can simulate the IdP-initiation authentication flow by using the Okta Bookmark app and setting the Login URL to https://app.rudderstack.com/sso?domain=<your_website>, where <your_website> is your organization’s web domain.

SSO errors

Required String parameter ‘RelayState’ is not present

SSO errors

The above error indicates that you did not set up your SSO app correctly. Make sure to:

  • Set the Audience URI (SP Entity ID) field to urn:amazon:cognito:sp:us-east-1_ABZiTjXia.
  • Configure the other SAML settings correctly.

Questions? Contact us by email or on Slack