You must have the following:

  • PingFederate installed and operating with administrator access OS
  • Okta Enterprise or Enterprise Plus active with administrative access

This task also assumes that you have the following information:

  • A metadata XML file from the Okta IdP that is accessible to the PingFederate console application
  • An adapter configured for the target SP application
  1. In the PingFederate administrative console, go to Authentication > Integration > IdP Connections, and then click Create Connection.
  2. On the Connection Type tab, select Browser SSO Profiles, and in the Protocol list, select SAML 2.0. Click Next.
  3. On the Connection Options tab, click Next.
  4. On the Import Metadata tab, click File, and then click Choose file.
  5. Go to the Okta IdP metadata file, and then click Open.
  6. Click Next.
  7. On the Metadata Summary tab, click Next.
  8. On the General Info tab, review the Partner's Entity ID and Connection Name.
    The General Info tab is filled out by the metadata.
  9. If using a virtual server ID (VSID) for this connection instead of the Systems SAML 2.0 entityID, enter it in the Virtual Server IDS field. Click Next.
  10. On the Browser SSO tab, click Configure Browser SSO.
  11. On the SAML Profiles tab, select the agreed upon profiles, at a minimum IdP-Initiated SSO. Click Next.
    Optionally, you can select SP-initiated single sign-on (SSO) and sinigle logout (SLO) if configured for this connection.
  12. On the User-Session Creation tab, click Configure User-Session Creation.
  13. On the Identity Mapping tab, click Account Mapping and then click Next.
  14. On the Attribute Contract tab, add any required attributes for the contract. Click Next.
  15. On the Target Session Mapping tab, click Map New Adapter Instance..
  16. On the Adapter Instance tab, select the previously configured adapter from the Adapter Instance list. Review the adapter contract, and then click Next.
    Optionally, you can click Manage Adapter Instances to create a new adapter that will map the inbound attributes from Okta into the PingFederate connection.
  17. On the Adapter Data Store tab, keep the default selection of Use only the Attributes Available in the SSO Assertion, and then click Next.
  18. On the Adapter Contract Fulfillment tab, map the attributes from the inbound assertion to the connection attributes. Click Next
  19. On the Issuance Criteria tab, click Next.
  20. To complete the adapter configuration, on the Adapter Mapping Summary tab, click Done, and then click Next on the Target Session Mapping tab.
    You return to the User-Session Creation tabs.
  21. Review the User-Session Creation Summary tab, and then click Done.
  22. On the User Session Creation tab, click Next.
  23. On the Protocol Settings tab, click Configure Protocol Settings.

    The Protocol Settings tab shows the currently configured values from the metadata.

  24. On the SSO Service URLs tab, review the Endpoint URLs extracted from the metadata. Click Next.
  25. On the Allowable SAML Bindings tab, ensure only Post and Redirect are selected, and then click Next.
  26. Optional: On the Overrides tab, optionally specify a different Target URL and Authorization context. Click Next.
  27. On the Signature Policy tab, use the default selection of SAML Standard where the IdP will sign the response. Click Next.

    This is the Okta default.

  28. On the Encryption Policy tab, keep the default selection of None. Click Next.
  29. On the Protocol Settings Summary tab, review and click Done.
  30. On the Protocol Settings tab, click Next.
  31. On the Browser SSO Summary tab, review the settings and click Done.
  32. On the Browser SSO tab, click Next.
  33. On the Credentials tab, verify the IdP signing certificate is available, and then click Next.

    Because you imported metadata, the signing public key from the Okta partner was included.

  34. On the Activation and Summary tab, ensure that the connection is active.
  35. Click Save.
PingFederate SP configuration is complete.