Okta
Access Type: Organization Settings - Editor
Premium Feature: SSO
Single Sign-On (SSO) is an authentication process that allows users to access multiple applications or systems with one set of login credentials. In this article, we will cover how to configure SSO using the SAML 2.0 standard protocol with Okta.
Retrieve SSO SAML identifiers
To start, your organization needs to retrieve the SSO SAML identifiers from the Didomi console to continue setup in your identity provider.
Click My organization and selecting Single Sign-on from the drop-down menu.
Use the provided fields in the Get your SSO SAML identifiers step to record the following:
Configured issuer
Your organization's identity provider's unique identifier within the Didomi console.
Login URL
Where user will be redirected after successful login on the identity provider.
Click Continue when finished.
Configure Didomi console integration in Okta
Before configuring SSO your organization will need to add a Didomi console integration in your Okta account. From the Admin console of your Okta account:
Navigate to Applications > Applications.
Click on Create App Integration.
Select SAML 2.0 in the Sign-in method.
Click Next.
In App name, enter a name your new application that is recognizable as being for the Didomi console (e.g. Didomi Console). This is where your organization will configure the SSO SAML.
Navigate to the Configure SAML section and enter the SSO SAML identifiers retrieved from the Didomi console in the appropriate fields:
Single sign-on URL
Login URL
Audience URI (SP Entity ID)
Configured issuer
Next, navigate to your integration's attribute statements and configure the following:
Note: Your organization must configure the following attribute statement for the SSO configuration with Okta to be complete.
Name
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Name format
URI Reference
Value
user.email
Continue with the configuration flow to create the Didomi console integration within Okta.
Retrieve Didomi console integration metadata from Okta
When the Didomi console integration is created within Okta, navigate to the application from the Okta Admin console and click the Sign On tab. Record the values for the following fields (collectively Didomi refers to these values as metadata):
Sign-On URL
Issuer
Signing Certificate
Add Okta metadata
With the metadata from Okta copied, navigate back to the SSO configuration within the Didomi console and input those values in the provided fields for the Setup SSO settings step.
X509 certificate
Signing Certificate
Login URL
Sign-On URL
Logout URL
Issuer
Test and complete SSO configuration
Didomi will verify the identity provider metadata. When successful, utilize the Domain(s) field to add email domains to which the SAML authentication will be restricted (i.e. only users whose emails have this domain will be allowed to login with SSO SAML).
For security, the domain added to the Domain(s) field must match the email domain of the user performing the configuration (e.g. didomi.io can only be added if the user adding it is signed into the Didomi console using an @didomi.io email address.
To add more than one domain, please contact the Didomi support team via chat or email at [email protected].
Click Save settings.
Assign user access
Once the Didomi console SSO configuration is finished, your organization can manage a user's access to the Didomi console from the Okta Admin portal. Navigate to the Didomi console integration:
Click Assignments
Click Assign > Assign to people
Follow Okta instructions to assign user access.
Last updated