We have an internal web application and our customer says they use Okta with SAML authentication. I assume this means that Okta is acting as the service provider and the customer is using an internal identity provider.
In looking for guidance on how to set this up, most of the examples I find are for OAuth. I found one guide for SAML which requires me to use the classic UI, but it assumes that I have access to the identity provider and assume I know the ins and outs of SAML. For example, the help text for Audience URI reads, “The application-defined unique identifier that is the intended audience of the SAML assertion. This is most often the SP Entity ID of your application.” That is Greek to me.
Any guidance on how a developer who is new to SAML can get set up to build this integration with Okta?
In most use-cases, Okta acts as an identity provider for applications. To set up a SAML application in Okta, you can follow the instructions available here. You will need to have at least the Assertion Consumer Service URL and the entity ID from the SAML endpoints of your application in order to successfully integrate it with Okta.
Once the application is created, you can submit it to oinmanager.okta.com in order to have it added in our Okta Integration Network.
By following the steps in that SAML document, I have set up an identity provider in Okta. Thank you for that.
The next question is how do I set up my internal application as a service provider who can talk to Okta as an identity provider? My application does not have an externally accessible URL.
You can follow the documentation mentioned previously to configure the details from your on-premises application with Okta. Once a user clicks the chiclet on their end user dashboard, Okta will send a SAML assertion through HTTP POST through client-side directly to your on-premises endpoint. As such, if users are on the network and access the chiclet, they will be able to authenticate to your on-premises application succesfully.
If you would like off-network users to access the application, then you will need to publish the application over the internet or through a VPN.
In order for there to be a chiclet, doesn’t that require me to submit my app via the oinmanger? If so, doesn’t that mean I have already developed the application which supports SAML in order for you to test and approve?
The templates and user assignments (an assignment will show a chiclet to a user on the dashboard) do not require an approval to be in OIN. Anyone can create a template in order to connect with a service provider that supports inbound SAML.
As mentioned previously, you can create a custom SAML template through the documentation available here.