Configure PingFederate as a service provider (SP) with Okta as an identity provider (IdP) using a SAML 2.0 connection.
You must have the following:
- PingFederate installed and operating with administrator access OS
- Okta Enterprise or Enterprise Plus active with administrative access
This task also assumes that you have the following information:
- A metadata XML file from the Okta IdP that is accessible to the PingFederate console application
- An adapter configured for the target SP application
- In the PingFederate administrative console, go to , and then click Create Connection.
- On the Connection Type tab, select Browser SSO Profiles, and in the Protocol list, select SAML 2.0. Click Next.
- On the Connection Options tab, click Next.
- On the Import Metadata tab, click File, and then click Choose file.
- Go to the Okta IdP metadata file, and then click Open.
- Click Next.
- On the Metadata Summary tab, click Next.
On the General Info tab, review the Partner's
Entity ID and Connection Name.
The General Info tab is filled out by the metadata.
- If using a virtual server ID (VSID) for this connection instead of the Systems SAML 2.0 entityID, enter it in the Virtual Server IDS field. Click Next.
- On the Browser SSO tab, click Configure Browser SSO.
On the SAML Profiles tab, select the agreed upon
profiles, at a minimum IdP-Initiated SSO. Click
Optionally, you can select SP-initiated single sign-on (SSO) and sinigle logout (SLO) if configured for this connection.
- On the User-Session Creation tab, click Configure User-Session Creation.
- On the Identity Mapping tab, click Account Mapping and then click Next.
- On the Attribute Contract tab, add any required attributes for the contract. Click Next.
- On the Target Session Mapping tab, click Map New Adapter Instance..
On the Adapter Instance tab, select the previously
configured adapter from the Adapter Instance list. Review
the adapter contract, and then click Next.
Optionally, you can click Manage Adapter Instances to create a new adapter that will map the inbound attributes from Okta into the PingFederate connection.
- On the Adapter Data Store tab, keep the default selection of Use only the Attributes Available in the SSO Assertion, and then click Next.
- On the Adapter Contract Fulfillment tab, map the attributes from the inbound assertion to the connection attributes. Click Next
- On the Issuance Criteria tab, click Next.
To complete the adapter configuration, on the Adapter Mapping
Summary tab, click Done, and then click
Next on the Target Session
You return to the User-Session Creation tabs.
- Review the User-Session Creation Summary tab, and then click Done.
- On the User Session Creation tab, click Next.
On the Protocol Settings tab, click Configure
The Protocol Settings tab shows the currently configured values from the metadata.
- On the SSO Service URLs tab, review the Endpoint URLs extracted from the metadata. Click Next.
- On the Allowable SAML Bindings tab, ensure only Post and Redirect are selected, and then click Next.
- Optional: On the Overrides tab, optionally specify a different Target URL and Authorization context. Click Next.
On the Signature Policy tab, use the default selection
of SAML Standard where the IdP will sign the response.
This is the Okta default.
- On the Encryption Policy tab, keep the default selection of None. Click Next.
- On the Protocol Settings Summary tab, review and click Done.
- On the Protocol Settings tab, click Next.
- On the Browser SSO Summary tab, review the settings and click Done.
- On the Browser SSO tab, click Next.
On the Credentials tab, verify the IdP signing
certificate is available, and then click Next.
Because you imported metadata, the signing public key from the Okta partner was included.
- On the Activation and Summary tab, ensure that the connection is active.
- Click Save.