Create SAML application using Okta python SDK

I am trying to configure SAML application for SSO using Okta SDK.

Using the docs online I was able to create Okta client using a token like below

import asyncio
from okta.client import Client as OktaClient
config = {‘orgUrl’: ‘<>’, ‘token’: ‘<>’}*
okta_client = OktaClient(config)
users, resp, err = await okta_client.list_users()

I am not sure how to create an SAML 2.0 application
Can I get a documentation or steps for creating an SAML application using python SDK.

GitHub page for Okta Python SDK has an example for SWA application, so I assume you can check if you can do for SAML too

I see with models we can create the Saml Application…

I need more information on how to pass the attributes and values to it for SAML SSO

In [9]: models.SamlApplication
Out[9]: okta.models.saml_application.SamlApplication

okta_client = OktaClient(config)
samlSignOn = models.SamlApplicationSettingsSignOn({
‘audience’: ‘’,
‘destination’: ‘’,
‘recipient’: ‘’,
‘sso_acs_url’: ‘’,
‘subject_name_id_format’: ‘urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress’ })

samlAppSet = models.SamlApplicationSettings({
‘app’: samlSignOn

samlApp = models.SamlApplication({
‘label’: ‘abc’,
‘settings’: samlAppSet,

app, resp, err = await okta_client.create_application(samlApp)

This configuration is throwing error but the message is not clear

In [27]: err
Out[27]: {‘message’: ‘Okta HTTP 500 E0000009 Internal Server Error\n’}

I am getting the same result using the Go SDK. My intent is to create a custom SAML 2.0 app. Here is how we’re making the call:

	appSettings := okta.NewSamlApplication()
	appSettings.Label = name
	appSettings.Settings = &okta.SamlApplicationSettings{
		SignOn: &okta.SamlApplicationSettingsSignOn{
			SsoAcsUrl:           "https://" + subdomain + "." + rootDomain + "/sso/auth",
			Audience:            "https://" + subdomain + "." + rootDomain + "/sso/metadata",
			Recipient:           "https://" + subdomain + "." + rootDomain + "/sso/auth",
			Destination:         "https://" + subdomain + "." + rootDomain + "/sso/auth",
			SubjectNameIdFormat: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
			SignatureAlgorithm:  "RSA_SHA256",
			DigestAlgorithm:     "SHA256",
			ResponseSigned:      newBool(true),
			AssertionSigned:     newBool(true),
			HonorForceAuthn:     newBool(true),
	appSettings.Visibility = &okta.ApplicationVisibility{
		Hide: &okta.ApplicationVisibilityHide{
			IOS: newBool(false),
			Web: newBool(false),

	app, _, err := o.oktaApp.CreateApplication(context.TODO(), appSettings, nil)
	if err != nil {
		return nil, "", err

This routinely returns a 500 with no helpful info. I can, however, create one via a direct API call using PostMan (with the same payload).

I suspect we are having the same problem (though different SDKs).

HI GabreilZ, can you please share the payload which you used in POSTMAN for reference… thank you

Hi Okta Team, can any one help with proper configuration details using Okta SDK

Based on my terraform config I see few attributes missing in your call

  subject_name_id_template         = "$${user.userName}"
  authn_context_class_ref          = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"

Maybe try to add it and see if it helps

@pradvara Here is the payload in Postman:

  "label": "My SAML App",
  "visibility": {
    "hide": {
      "iOS": false,
      "web": false
  "settings": {
    "signOn": {
      "ssoAcsUrl": "",
      "audience": "",
      "recipient": "",
      "destination": "",
      "subjectNameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
      "responseSigned": true,
      "assertionSigned": true,
      "signatureAlgorithm": "RSA_SHA256",
      "digestAlgorithm": "SHA256",
      "honorForceAuthn": true
  "signOnMode": "SAML_2_0"

I still get a 500 with those additions.

Thank you Gabriel for the information

The following worked for me if it helps using golang.

    appSettings := okta.NewSamlApplication()

    appSettings.Label = label

    appSettings.Settings = &okta.SamlApplicationSettings{

        SignOn: &okta.SamlApplicationSettingsSignOn{

            DefaultRelayState: "",

            SsoAcsUrl:         ssourl,

            Recipient:         recipient,

            Destination:       destination,

            Audience:          audience,

            // IdpIssuer:             d.Get("idp_issuer").(string),

            SubjectNameIdTemplate: subjectNameIDTemplate,

            SubjectNameIdFormat:   subjectNameIDFormat,

            ResponseSigned:        &responseSigned,

            AssertionSigned:       &assertionSigned,

            SignatureAlgorithm:    signatureAlgorithm,

            DigestAlgorithm:       digestAlgorithm,

            HonorForceAuthn:       &honorForceAuthn,

            AuthnContextClassRef:  authnContextClassRef,



    appSettings.Visibility = &okta.ApplicationVisibility{

        AutoSubmitToolbar: &autoSubmit,

        Hide: &okta.ApplicationVisibilityHide{

            IOS: &hideMobile,

            Web: &hideWeb,



    samlAttr := make([]*okta.SamlAttributeStatement, 2)

    samlAttr[0] = &okta.SamlAttributeStatement{

        Name:      "Name",

        Namespace: "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified",

        Type:      "EXPRESSION",

        Values:    []string{"user.firstName"},


    samlAttr[3] = &okta.SamlAttributeStatement{

        Name:        "groups",

        Namespace:   "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified",

        Type:        "GROUP",

        FilterType:  "REGEX",

        FilterValue: ".*",


    appSettings.Settings.SignOn.AttributeStatements = samlAttr

    application, _, err := client.Application.CreateApplication(ctx, appSettings, nil)

    newApp := application.(*okta.SamlApplication)

    if err != nil {

        fmt.Println("bad", err)

    } else {

        fmt.Println(newApp.Label + " app created")


also make sure your client auth is correct otherwise you will get panic: runtime error: invalid memory address or nil pointer dereference

Thank you Bloke… will check…

Thanks, @Bloke! That did work. I think it was likely the attribute statements. That can be empty, but must be defined.

So I have it as:

 samlAttr := make([]*okta.SamlAttributeStatement, 0)

Glad it worked out. Yes in my experience with okta saml so far: everything must be defined, even when trying to modify an app you need to pass everything. Have fun.