This solution provides the steps to configure Okta as an identity provider (IdP) and PingFederate as a service provider (SP) using a SAML 2.0 connection for communications. This process doesn’t address single logout (SLO) or provisioning for either side of the single sign-on (SSO) transaction.
Component
PingFederate 9.1
Process overview
The process for Okta as the IdP using IdP-initiated SSO is:
- The user goes to Okta, assuming the user has an existing Okta session.
- The user clicks on the Chicklet, which sends a SAML response to the configured SP.
- A session is established with the SP.
- The user is authenticated.
In SP-initiated SSO, the process is:
- The user goes to the target SP first. They don't have a session established with the SP.
- The SP redirects the user to the configured sign-on URL, Okta’s generated app instance URL, sending the SAML request.
- Okta receives a SAML request, assuming the user has an existing Okta session.
- Okta sends a SAML response to the configured SP.
- The SP receives the SAML response and verifies that it is correct.
- A session is established on the SP side.
- The user is authenticated.