Configure protocol-specific settings

Your application needs to support at least one protocol for interacting with Okta: SAML or OIDC for authentication, or SCIM for provisioning.

Protocol support details can be submitted all together or asynchronously. For example, if your application currently only supports SAML and SCIM, you can create the submission with the SAML and SCIM protocol details. At a later date, when you add OIDC support to your application, you can return to your integration submission, activate the OIDC support panel, and add in the details needed for Okta to enable OIDC support.

For each protocol, click on the appropriate tab name and change the protocol support drop-down box from Off to On.

Instance URL

For each protocol, enter the Okta instance URL for your integration in the first field.

To get your Okta instance URL:

1. Open the Okta Admin Console in your development org.
2. If you are not in the Classic UI, switch to that view.
3. Click Applications > Applications to see all the integrations in your org.
4. Click on the name of the integration you are going to submit. The browser opens the settings page. Confirm that the settings match what you want as the global defaults for all customers.
5. In your browser, click on the address bar showing the current URL and copy it to your clipboard. This is the Okta instance URL for your integration.
6. Back in the OIN Manager, paste that URL into your submission.

For example:

Protocol-specific settings

Each of the supported protocols has different configuration settings for the remainder of the submission.

• OpenID Connect
• SAML 2.0
• SCIM

Setup instructions

• Is your Service Provider configured as a “Big Bang”? — If yes, what is the backdoor URL for admins to sign in if SAML is misconfigured? If the SP is a "Big Bang", Okta suggests that you have a backdoor URL or some other recovery mechanism available.

• Is SAML support available in the SP for all tenants by default or is it available only for specific SKUs? — If you select only certain SKUs, provide details on which products provide SAML support.

• To configure SAML, can your customers do it by themselves from your app's UI, or do they need to contact your support team? — If a customer needs support to configure your integration, you need to include support contact information in your configuration guide. We recommend that you build a UI that enables self-service configuration to reduce the set up time for your customers.

• Are tenants deployed on-premises? — If tenant data for you application is hosted locally on your customer's systems, select Yes. If the tenant data for your application is hosted on your servers, select No.

• Is the Assertion Consumer Service (ACS) URL the same for all tenants and environments? — If No, enter which part of the ACS URL is customizable. For example, the subdomain in https://<subdomain>.example.com/saml2/.

• Is your app capable of requesting other SSO URLs? — Select this option to configure support for multiple ACS URLs where the SAML Response can be sent. Specify an index or URL to uniquely identify each ACS URL endpoint. If an AuthnRequest message does not specify an index or URL, the SAML Response is sent to the default ACS URL specified above. Enter the SSO URLs and an index value for any other nodes.

• Is the audience URI the same for all tenants and environments? — If No, enter which part of the audience URI is customizable. For example, the subdomain in https://<subdomain>.example.com/saml2/.

• What is the unique SAML identifier for authentication: the subject NameID or a specific SAML attribute? — What identifier is used by the integration to perform authentication against your SAML application? If you are using an attribute different than the NameID attribute, what is the name of that attribute?

• Link to configuration guide — Your configuration guide (in either HTML or PDF format) should have step by step instructions on how to set up SSO between Okta and your systems. See Prepare a customer-facing configuration guide.

Supported Features

• Do you support SAML Just-In-Time provisioning? — With Just-in-Time provisioning, you can use a SAML assertion to create users on the fly the first time they try to log in. This eliminates the need to create user accounts in advance.

• Do you support receiving SAML user/group attribute statements? — If Yes, you can add the attribute statements or group attribute statements in the provided fields. For more details on configuring attribute statements in SAML integrations, see Create a SAML integration using AIW.

• Can one tenant connect to multiple Identity Providers? — Select Yes if your customers can set up a SAML connection between their tenant in your application and multiple external IdPs or even multiple instances inside a single IdP.

• What type(s) of sign-in flows do you support? — Choose from IdP or SP initiated, or both. If you support SP-initiated flows, you must specify the URL used to initiate the SP flow and include a description of how the SP flow is triggered by your integration.

• Force authentication? — Select Yes if your application forces users to authenticate again, even if they have an existing session. If you select Yes, include how customers configure force authentication on your end? Provide the steps for Okta to test this forced authentication.

• Do you support SP-initiated Single-Logout? — If you select Yes, then Are you going to use the same single-logout certificate for all tenants?

  If you support the same single-logout certificate for all tenants, copy your certificate and paste it in the field provided.

  The Single Logout URL and SP Issuer should be specified in the test application.

  Note: Okta only supports signed logout requests.

• Do you require a default relay state — The default relay state is the page where your users land after they successfully sign on. If you have this configured, enter a specific application resource for an IdP initiated Single Sign-On scenario.

Review info

• Optional: link to demo video — If you have prepared a video that explains how to configure access to your SAML application, enter the URL here. A short demo video showing your working test application helps expedite the review process. Please show the IdP and SP-initiated sign-in flows and sign-out (if applicable).

• Optional: link to the test results of a SAML validation tool — Use the tool at http://saml.oktadev.com to validate your SAML Service Provider implementation. The results help expedite the review process.

As you add configuration information about your integration to the submission page, the indicators in the top right show your progress towards 100% completion.

You must include all required information before you can click the Submit for Review button to move your integration into the submission phase.

Next: Understand the submission process