SSO for OKTA
Last updated
Last updated
This article explains how to configure Single Sign-On (SSO) in VAULT with Okta as your SAML 2.0 Identity Provider. When SSO is enabled, by default users and groups logging into VAULT are redirected to the Okta login page. After successful authentication, they are redirected to the VAULT Dashboard.
First, configure Okta to provide the sign-on information for the VAULT environment.
To add the VAULT application to Okta:
Sign in to Okta. You must have the Applications Admin permission.
If you don’t have an Okta organization, you can create a free Okta Developer Edition organization here: https://developer.okta.com/signup/
The home page will appear when you log in to Okta.
From the main menu, go to Applications > Add Application.
Click on the Create App Integration button.
In the next auto-populated dialog box, select the second option i.e., SAML 2.0, and click on the Next button.
In the General Settings, enter "VAULT" in the App name field, upload the VAULT logo and click on the Next button.
In the Configure SAML tab,
Single sign on URL: Enter the URL in the following format: <instanceURL>/ARVault/saml/SSO. For example, if your instance is https://vault-qa.autorabit.com, then the payload URL would be: https://vault-qa.autorabit.com/ARVault/saml/SSO
Audience URI (SP Entity ID): Enter the URL in the following format: <instanceURL>/ARVault/saml/metadata
On the same screen, in the Attribute Statements (optional) panel, configure the following:
Click Next to continue.
Under the Feedback section, select the option: "I'm an Okta customer adding an internal app" and "This is an internal application that we created", and click on the Finish button.
Navigate your mouse to the Assignment tab, and click Assign > Assign to People.
Next, select the listed users and click on Assign. After you assign the user click "Save and Go Back" and then click Done.
Here, you can see the assignment status.
Go to the Sign On tab and click on Identity Provider Metadata.
This will open up a new tab with some data. You must save this data in XML format on your own system. When you press CTRL + S, the data is downloaded in XML format.
You can also use the Identity Provider metadata URL link and use it to configure SSO with Vault instead of downloading the metadata XML file. To do so, right-click on the Identity Provider metadata and choose the Copy link address from the list.
Now, login into your VAULT account.
Hover your mouse over the Setting, go to the SSO Configuration section.
Give a name for the SSO configuration and select how you would like to configure the metadata
For Metadata URL, you need to enter the URL link that you captured earlier (Refer to Step 17)
For Metadata File, browse for the metadata XML file you saved on your local machine and upload it. Click Activate.
SML configuration for OKTA is successfully configured in VAULT. Now, the user can log in to VAULT using SSO.Disable Login with Vault credentialsTurn the slide toggle to the left to use SSO for login to your Vault application instead of the default username and password. This will allow you to access your Vault account via SSO.
On your login screen, click Login with SSO.
Enter your Customer ID. You'll find your Customer ID under the Profile section in your Vault account.
Finally, click on Sign in.
This concludes SSO configuration with the Vault.
Go to your OKTA dashboard page and click on the Vault icon to access the account.
Troubleshooting:
Vault throws the following error when a user tries to log into Vault via SSO: "Your user is not available in the account with provided customer id. Please contact the administrator to create a user for you in the account"
The error usually occurs if:
The user details are not assigned inside OKTA to login into the Vault application.
The administrator has set the restrictAutoCreationOfUser to Yes inside Attribute Statements while configuring OKTA SSO. If it is set to Yes, the user is not permitted access to Vault if the account is not created in Vault.
| Name | Value |
|---|---|
firstname
user.firstName
lastname
user.lastName
customerid
Enter your Vault's Customer Id. (You'll find your customer id under the Profile section in your Vault account; refer to Step 23 for sample image attachment)
restrictAutoCreationOfUser
For Yes, a new user account won't be created within Vault even if the user is already registered with the OKTA service provider. The user is not permitted access to Vault if the account is not created in Vault. For No, the restriction is revoked, and a new user account gets created in Vault, and the user will be able to access the Vault feature.
