icon-itdr.svg
ITDR

Configuring SAML for Okta Single Sign-On

Zscaler recommends that you use the ZIdentity Admin Portal to configure primary and secondary external identity providers (IdPs). ZIdentity supports both SAML and OpenID configurations. Contact Zscaler Support to subscribe to ZIdentity.

This article provides information on how to configure Okta as a SAML identity provider (IdP) for single sign-on (SSO).

To configure Okta as a SAML IdP for SSO:

    1. Log in to the Okta portal as an administrator.
    2. Go to Applications > Applications.

    3. Click Create App Integration.

    4. In the Create a new app integration window, select SAML 2.0, and click Next.

    5. On the General Settings tab, enter the App name, and click Next.

    6. On the Configure SAML page, under General:
      1. Single sign-on URL: Enter https://<ITDR Admin Portal instance name>/saml/id/1/assert.
      2. Audience URI (SP Entity ID): Enter https://<ITDR Admin Portal instance name>/saml/id/1/metadata.xml.
      3. Name ID format: Select EmailAddress from the drop-down menu.

      4. Application username: Select Email from the drop-down menu.

        The Single sign-on URL and Audience URI (SP Entity ID) are placeholder values, which must be changed later.

    7. Click Next.

    8. Select This is an internal app that we have created, and then click Finish.

      The application is created.

    Close
    1. Go to Applications > Applications.
    2. Select the ITDR application that you created in Step 1.
    3. Click Sign On.

    4. Scroll down to the SAML Setup section, and click View SAML setup instructions.

    5. In the window that appears:

      1. Copy the IdP SSO URL and IdP Issuer details.
      2. Copy the content from Optional and save it as Metadata.xml.

    Close
    1. Configure SAML for Single Sign-On in the ITDR Admin Portal.

    Use the Metadata.xml file that you saved in Step 2.

    1. Obtain the service provider entity ID and service provider assertion URL, and download the encryption certificate. To learn more, see Obtaining SAML Setup Information.
    Close
    1. Log in to the Okta portal as an administrator.
    2. Go to Applications > Applications.
    3. Select the ITDR application created in Step 1.
    4. Click General.
    5. Scroll down to the SAML Settings section, and click Edit.
    6. In the Edit SAML Integration wizard, click Next.
    7. In the SAML Settings section, under General:
      1. Single sign-on URL: Enter the service provider assertion URL that you obtained from Step 3.

      2. Audience URI (SP Entity ID): Enter the service provider entity ID that you obtained from the ITDR Admin Portal in Step 3.

    8. Click Show Advanced Settings and scroll down:
      1. Assertion Encryption: Select Encrypted from the drop-down menu.

      2. Encryption Certificate: Upload the encryption certificate that you downloaded from the ITDR Admin Portal in Step 3.

    Close
    1. Go to Applications > Applications.
    2. Select the ITDR application created in Step 1.
    3. Click Assignments.

    4. Select Assign > Assign to People or Assign to Groups depending on whether you want to assign access to a single user or a group of users.

    5. In the window that appears, click Assign for the user or group you want to select, and click Done.

    6. Repeat the previous step for all users and groups you want to assign to ITDR.
    Close

  • Before you configure SAML group provisioning using Okta as an IdP, make sure you create groups in Okta so that users within each group can be mapped to a role in the ITDR Admin Portal.

    1. Log in to the Okta portal as an administrator.
    2. Go to Applications > Applications.

    3. Select the application that you created while configuring SAML for ITDR in Okta.

    4. Select General and scroll down to the SAML Settings section, and click Edit.

    5. On the Edit SAML Integration page, click Next.
    6. Under SAML Settings:
      1. In Attribute Statements:
        • Name: Enter FullName.
        • Name Format: Select Basic from the drop-down menu.

        • Value: Enter String.join(" ", user.firstName, user.lastName).

      2. In Group Attribute Statements:
        • Name: Enter Group.
        • Name Format: Select Basic from the drop-down menu.

        • Filter: Select Matches regex from the drop-down menu, and then enter .* as the filter value.

    7. Click Next, and then click Finish.
    8. Log in to the ITDR Admin Portal.
    9. Go to Settings > User & Roles > SSO.
    10. Select the SAML configuration that you configured for your IdP.
    11. In the SAML Provider Details window, under the Group-Based SAML Login section:
      1. Auto Create User: Enable to make sure the users in the specified groups are automatically created in the ITDR Admin Portal.
      2. SAML Response Group Attribute: Enter Group.
      3. SAML Response Name Attribute: Enter FullName.

      4. Click Add to add a group and select the roles for each group.

        • Enter the group name.
        • Select a role for the group from the drop-down menu.

    12. Click Save.

    If the group attribute specified is not part of the SAML assertion when logging in or doesn't match one of the groups specified in the ITDR Admin Portal, then all roles mapped to the users who attempt to log in are removed. This can lock out the user during authentication. Therefore, test the SAML user provisioning and role mapping with a separate user so that you don't lock out your main account. Contact Zscaler Support if you are locked out of your account.

    Close
Related Articles
Configuring SAML for Single Sign-OnConfiguring SAML for Okta Single Sign-OnConfiguring SAML for Microsoft Entra ID Single Sign-OnConfiguring SAML for Active Directory Federation Services