This guide assumes you have access to an Okta Workforce Identity platform, access to your Okta Admin dashboard, and some experience with the platform

Navigate to Applications on your Okta Admin Dashboard, and click "Create App Integration"
Select Sign-in method "SAML 2.0", and click "Next"
In "App name" enter a name for your integration (e.g. EasySSO Jira), and click "Next"
Under "Single sign on URL", enter your EasySSO Endpoint URL - found in your EasySSO SAML configuration screen.
Under "Audience URI", enter your EasySSO Entity ID - found in your EasySSO SAML configuration screen.

Click "Show Advanced Settings", change the Signature Algorithm to "RSA-SHA1", and the Digest Algorithm to "SHA1"
In the EasySSO Configuration screen, ensure "Enable SAML" is checked
Go to the Certificates tab, and under SP Signing Certificate click "Generate Certificate"
Copy the certificate and paste it into a new certificate file on your computer (e.g. spsigningcertificate.crt)
Upload the SP Signing Certificate file to Okta using the "Browse files..." button next to "Signature Certificate"
Click "Allow Application to initiate Single Logout"
Copy and paste the EasySSO Endpoint URL in the "Single Logout URL" field
Copy and paste the EasySSO EntityID in the SP Issuer field
Enable "Validate SAML requests with signature certificates"

Make sure you have assigned the application to users or groups in Okta to enable them to sign-in to your application

EasySSO Configuration

Click the "Sign On" page of your Okta Application
Click "Copy" under the Metadata URL - Note: you can click "View SAML setup instructions" to also find this URL, as well as the variables and metadata to configure EasySSO manually
Visit the EasySSO SAML configuration screen, and make sure "Enable SAML" is ticked
On the "Certificates" page, ensure "URL" is selected for "Load Metadata"
Paste the Okta Metadata URL in the "Idp Metadata URL" field, and click "Load Certificate" to load the metadata
Metadata values will be loaded across EasySSO. On the General page:
1. Set the "Login Binding Type" to either "POST" or "Redirect" - the Binding URL should have been configured by the Okta metadata
2. Set the "Logout Binding Type" to "POST", "Redirect", or "Disabled" - if the Logout Binding Type is not Disabled, the Logout URL should have been configured by the Okta metadata
3. Set the "Entity ID" to the "Identity Provider Issuer" URL under step 2 of the Okta Setup Instructions page
4. (Optional) Visit EasySSO SAML Message Signing and Verification for signing and verification configuration options
5. Press "Save" at the bottom of the page

Encrypted Assertions (Optional)

Open the EasySSO Admin page
Click the SAML button to be taken to the SAML Admin configuration
Check the 'Encrypt Assertions' check box
Click the Save button at the bottom of the page to save the updated configuration
Click the 'Certificates' tab
Copy the contents of the sp certificate text box into a new file and save it with the name of 'myeasyssosp.crt'

In Okta

Open your SAML Administration page
Open the SAML Client configuration
Click the Assertion Encryption dropdown and select 'Encrypted'
1. Set Encryption Algorithm to AES256-GCM
2. Set Key Transport Algorithm to RSA-OAEP
Upload the SP Certificate file previously saved ('myeasyssosp.crt')

You've completed the configuration of EasySSO SAML with OKTA!

For more customisation options, check out EasySSO with SAML - Configuration.

New Zealand Home Ideas Centre Level 2, 10 Hutt Road, Petone, Wellington PO Box 38906 WMC Box Lobby Lower Hutt 5045	Australia Co-Hort Innovation Space, 16 Nexus Way, Southport, QLD PO Box 1403, Macquarie Centre, North Ryde, NSW 2113
0800 TECHTIME +64 4 570 0048	1800 BE LAZY +61 7 3074 9404
support@techtime.co.nz	info@techtime-initiative.com.au