Okta SAML 2.0 Identity Provider

The following section shows how to create an Okta application. To configure the identity provider in OneStream IdentityServer, you will need to copy and paste information between them. In addition, you must go to the OneStream Identity & Access Management Portal and add the identity provider. See Add a SAML 2.0 Identity Provider.

Create an Okta Application

As you complete the steps in this section, copy these items from Okta and paste them in the Identity & Access Management Portal:

  • App name

  • Metadata URL

    NOTE: This example will use a metadata URL. If you do not have a metadata URL (auto-discovery URL) from your identity provider, you can upload an XML metadata file or manually complete the fields in the Identity & Access Management Portal. See Add a SAML 2.0 Identity Provider.

And, copy these items from the Identity & Access Management Portal and paste them in Okta:

  • ACS URL

  • Service provider entity ID URL

See Add a SAML 2.0 Identity Provider.

  1. Sign in to Okta and go to Applications > Applications.

  2. Click the Create App Integration button.

    The Okta Applications screen has a navigation pane on the left and a row of buttons to select at the top of the screen. This example highlights the Applications menu and Applications selection in the navigation pane. It also highlights the Create App Integration button, which is blue with white text.

  3. In the Create a new app integration dialog box, complete this field:

    1. Sign-in method: Select SAML 2.0.

    2. Click the Next button.

    The Create a new app integration dialog box has the section, Sign-in method, listed to the left with a list of options to the right with radio buttons that can be selected or cleared. This example highlights the SAML 2.0 option for Sign-in method.

  4. The Create SAML Integration page displays. In the General Settings tab, complete this field:

    1. App name: Enter a name. Copy and paste this name in the Identity & Access Management Portal in the Name field.

    2. Click the Next button.

    The General Settings tab on the Create SAML Integration page has sections listed to the left with a list of fields and options to the right with a checkbox that can be selected or cleared. This example highlights the App name field and the Next button.

  5. In the Configure SAML tab, complete these fields:

    1. Single sign-on URL: Paste the ACS URL from the Identity & Access Management Portal.

    2. Audience URI (SP Entity ID): Paste the service provider entity ID URL from the Identity & Access Management Portal.

    3. Name ID format: In the drop-down menu, select EmailAddress.

    4. Application username: In the drop-down menu, select Email.

    5. Click the Next button.

    The Configure SAML tab on the Create SAML Integration page has sections listed to the left with a list of fields and drop-down menus to the right. This example highlights the Single sign-on URL field, the Audience URI (SP Entity ID) field, the Name ID format drop-down menu, and the Application username drop-down menu.

  6. In the Feedback tab, complete this field:

    1. App type: Select This is an internal app that we have created.

    2. Click the Finish button.

    The Feedback tab on the Create SAML Integration page has the App type section listed to the left with checkboxes that can be selected or cleared to the right. This example highlights the This is an internal app that we have created option and the Finish button.

  7. The application opens on a new page. Click Copy to copy the metadata URL. Paste it in the Identity & Access Management Portal in the Metadata URL field.

    The application screen has a row of tabs that can be selected at the top of the screen. In the Sign on tab, this example highlights the Metadata URL and Copy button.

  8. Select the Assignments tab and assign the application to OneStream users.

After you create the Okta application and add the identity provider in OneStream IdentityServer, go to the OneStream Identity & Access Management Portal and test the identity provider. See Test a SAML 2.0 Identity Provider.

Then, configure users for authentication in OneStream. See How Users are Configured for Authentication.