--- title: Connecting Okta as an IdP through SAML to PingFederate as an SP description: This solution provides the steps to configure Okta as an identity provider (IdP) and PingFederate as a service provider (SP) using a SAML 2.0 connection for communications. This process doesn't address single logout (SLO) or provisioning for either side of the single sign-on (SSO) transaction. component: solution-guides page_id: solution-guides:single_sign-on_use_cases:htg_connect_okta_idp_saml_pf_sp canonical_url: https://docs.pingidentity.com/solution-guides/single_sign-on_use_cases/htg_connect_okta_idp_saml_pf_sp.html revdate: July 18, 2022 page_aliases: ["single_sign-on_use_cases:htg_connect_okta_idp_saml_pf_sp_okta_idp.adoc", "single_sign-on_use_cases:htg_connect_okta_idp_saml_pf_sp_config_pf.adoc", "single_sign-on_use_cases:htg_connect_okta_idp_saml_pf_sp_troubleshooting.adoc"] section_ids: component: Component process-overview: Process overview configuring-okta-as-the-idp: Configuring Okta as the IdP before-you-begin: Before you begin about-this-task: About this task steps: Steps result: Result configuring-pingfederate-as-the-sp: Configuring PingFederate as the SP before-you-begin-2: Before you begin steps-2: Steps result-2: Result: result-3: Result troubleshooting: Troubleshooting sso-attempt-looping: SSO attempt looping pingfederate-error-in-server-log: PingFederate error in server.log --- # Connecting Okta as an IdP through SAML to PingFederate as an SP This solution provides the steps to configure Okta as an identity provider (IdP) and PingFederate as a service provider (SP) using a SAML 2.0 connection for communications. This process doesn't address single logout (SLO) or provisioning for either side of the single sign-on (SSO) transaction. ## Component PingFederate 9.1 ## Process overview The process for Okta as the IdP using IdP-initiated SSO is: 1. The user goes to Okta, assuming the user has an existing Okta session. 2. The user clicks on the Chicklet, which sends a SAML response to the configured SP. 3. A session is established with the SP. 4. The user is authenticated. In SP-initiated SSO, ​the process is: 1. The user goes to the target SP first. They don't have a session established with the SP. 2. The SP redirects the user to the configured sign-on URL, Okta's generated app instance URL, sending the SAML request. 3. Okta receives a SAML request, assuming the user has an existing Okta session. 4. Okta sends a SAML response to the configured SP. 5. The SP receives the SAML response and verifies that it is correct. 6. A session is established on the SP side. 7. The user is authenticated. ## Configuring Okta as the IdP Configure Okta as an identity provider (IdP) and PingFederate as a service provider (SP) using a SAML 2.0 connection. ### Before you begin You must have the following: * PingFederate installed and operating with administrator access OS * Okta with Workforce Identity Single sign-on, One-App, or Enterprise editions This task also assumes that you have the following information from the SP: * Assertion consumer service (ACS) URL * Signing certificate (if required) ### About this task | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | With Okta as the IdP, only a one-to-one IdP to SP entityID relationship is supported. If the SP has more than one application, a new IdP connection with a unique entityID from Okta is required. This behavior can be overridden by Okta. | ### Steps 1. Sign on to Okta as an administrator. 2. Go to **Application β†’ Add Application**. 3. On the **Add Application** page, click **Add Application**. 4. On the **Create a New Application Integration** page, in the **Platform** list, select **Web**. 5. Click **SAML 2.0**, and then click **Create**. 6. On the **General Settings** tab, in the **Create SAML Integration** section, enter a name for the application in the **App name** field. Click **Next**. You can also add a logo and set the app visibility. 7. On the **Configure SAML** tab, in the **Single Sign on URL** field, enter the PingFederate ACS URL. 8. In the **Audience URI** field, enter the PingFederate SAML entity ID or connection virtual server ID (VSID). 9. **Optional:** In the **Attribute Statements (Optional)** and **Group Attribute Statements (Optional)** sections, add attributes from the Okta user store to fulfill the attribute contract with the SP. 10. Click **Next**. 11. **Optional:** Complete the sections on the **Feedback** tab. The sections on this tab help the Ping Identity support team. 12. Click **Finish**. 13. To obtain the file needed to configure the PingFederate SP, in the **Summary** window, click the **Identity Provider metadata** link. 14. **Optional:** If you're creating your own portal, click the **General** tab, and then copy the **App Embed Link**. ### Result Okta configuration as the IdP is complete. ## Configuring PingFederate as the SP Configure PingFederate as a service provider (SP) with Okta as an identity provider (IdP) using a SAML 2.0 connection. ### Before you begin You must have the following: * PingFederate installed and operating with administrator access OS * Okta Enterprise or Enterprise Plus active with administrative access This task also assumes that you have the following information: * A metadata XML file from the Okta IdP that is accessible to the PingFederate console application * An adapter configured for the target SP application ### Steps 1. In the PingFederate administrative console, go to **Authentication β†’ Integration β†’ IdP Connections**, and then click **Create Connection**. 2. On the **Connection Type** tab, select **Browser SSO Profiles**, and in the **Protocol** list, select **SAML 2.0**. Click **Next**. 3. On the **Connection Options** tab, click **Next**. 4. On the **Import Metadata** tab, click **File**, and then click **Choose file**. 5. Go to the Okta IdP metadata file, and then click **Open**. 6. Click **Next**. 7. On the **Metadata Summary** tab, click **Next**. 8. On the **General Info** tab, review the **Partner's Entity ID** and **Connection Name**. The **General Info** tab is filled out by the metadata. 9. If using a virtual server ID (VSID) for this connection instead of the Systems SAML 2.0 entityID, enter it in the **Virtual Server IDS** field. Click **Next**. 10. On the **Browser SSO** tab, click **Configure Browser SSO**. 11. On the **SAML Profiles** tab, select the agreed upon profiles, at a minimum **IdP-Initiated SSO**. Click **Next**. Optionally, you can select SP-initiated single sign-on (SSO) and sinigle logout (SLO) if configured for this connection. 12. On the **User-Session Creation** tab, click **Configure User-Session Creation**. 13. On the **Identity Mapping** tab, click **Account Mapping** and then click **Next**. 14. On the **Attribute Contract** tab, add any required attributes for the contract. Click **Next**. 15. On the **Target Session Mapping** tab, click **Map New Adapter Instance.**. 16. On the **Adapter Instance** tab, select the previously configured adapter from the **Adapter Instance** list. Review the adapter contract, and then click **Next**. Optionally, you can click **Manage Adapter Instances** to create a new adapter that will map the inbound attributes from Okta into the PingFederate connection. 17. On the **Adapter Data Store** tab, keep the default selection of **Use only the Attributes Available in the SSO Assertion**, and then click **Next**. 18. On the **Adapter Contract Fulfillment** tab, map the attributes from the inbound assertion to the connection attributes. Click **Next** 19. On the **Issuance Criteria** tab, click **Next**. 20. To complete the adapter configuration, on the **Adapter Mapping Summary** tab, click **Done**, and then click **Next** on the **Target Session Mapping** tab. #### Result: You return to the **User-Session Creation** tabs. 21. Review the **User-Session Creation Summary** tab, and then click **Done**. 22. On the **User Session Creation** tab, click **Next**. 23. On the **Protocol Settings** tab, click **Configure Protocol Settings**. The **Protocol Settings** tab shows the currently configured values from the metadata. 24. On the **SSO Service URLs** tab, review the **Endpoint URLs** extracted from the metadata. Click **Next**. 25. On the **Allowable SAML Bindings** tab, ensure only **Post** and **Redirect** are selected, and then click **Next**. 26. **Optional:** On the **Overrides** tab, optionally specify a different Target URL and Authorization context. Click **Next**. 27. On the **Signature Policy** tab, use the default selection of **SAML Standard** where the IdP will sign the response. Click **Next**. This is the Okta default. 28. On the **Encryption Policy** tab, keep the default selection of **None**. Click **Next**. 29. On the **Protocol Settings Summary** tab, review and click **Done**. 30. On the**Protocol Settings** tab, click **Next**. 31. On the **Browser SSO Summary** tab, review the settings and click **Done**. 32. On the **Browser SSO** tab, click **Next**. 33. On the **Credentials** tab, verify the IdP signing certificate is available, and then click **Next**. Because you imported metadata, the signing public key from the Okta partner was included. 34. On the **Activation and Summary** tab, ensure that the connection is active. 35. Click **Save**. ### Result PingFederate SP configuration is complete. ## Troubleshooting You might encounter the following common issues after completing configuration. ### SSO attempt looping Single sign-on (SSO) attempt locking happens if the following items in the Okta configuration aren't set to the PingFederate assertion consumer service (ACS) endpoint: * Recipient * Destination * Postback URL ### PingFederate error in `server.log` The following error implies that the entityID used for the Okta connection is incorrect. ``` Top level error (ref#ftpcge): Unable to lookup idp connection metadata for entityid='http://www.okta.com/ ``` Check your metadata or check with the Okta account owner to verify the entityID.