SSO for OKTA
  • 03 Oct 2022
  • 3 Minutes to read
  • Contributors
  • Dark
    Light

SSO for OKTA

  • Dark
    Light

This article explains how to configure Single Sign-On (SSO) in VAULT with Okta as your SAML 2.0 Identity Provider. When SSO is enabled, by default users and groups logging into VAULT are redirected to the Okta login page. After successful authentication, they are redirected to the VAULT Dashboard.

Add VAULT Application to Okta

First, configure Okta to provide the sign-on information for the VAULT environment.

To add the VAULT application to Okta:

  1. Sign in to Okta. You must have the Applications Admin permission.
  2. If you don’t have an Okta organization, you can create a free Okta Developer Edition organization here: https://developer.okta.com/signup/
  3. The home page will appear when you log in to Okta.okta
  4. From the main menu, go to Applications > Add Application.applications
  5. Click on the Create App Integration button.Create App Integration
  6. In the next auto-populated dialog box, select the second option i.e., SAML 2.0, and click on the Next button.SAML 2.0
  7. In the General Settings, enter "VAULT" in the App name field, upload the VAULT logo and click on the Next button.Configure SAML
  8. In the Configure SAML tab, 
    1. Single sign on URL: Enter the URL in the following format: <instanceURL>/ARVault/saml/SSO. For example, if your instance is https://vault-qa.autorabit.com, then the payload URL would be: https://vault-qa.autorabit.com/ARVault/saml/SSO
    2. Audience URI (SP Entity ID): Enter the URL in the following format: <instanceURL>/ARVault/saml/metadataedit saml integration
  9. On the same screen, in the Attribute Statements (optional) panel, configure the following:
    NameValue
    firstnameuser.firstName
    lastnameuser.lastName
    customeridEnter your Vault's Customer Id. (You'll find your customer id under the Profile section in your Vault account; refer to Step 23 for sample image attachment)
    restrictAutoCreationOfUserFor Yes, a new user account won't be created within Vault even if the user is already registered with the OKTA service provider. The user is not permitted access to Vault if the account is not created in Vault.

    For No, the restriction is revoked, and a new user account gets created in Vault, and the user will be able to access the Vault feature.
  10. Click Next to continue.
  11. Under the Feedback section, select the option: "I'm an Okta customer adding an internal app" and "This is an internal application that we created", and click on the Finish button.create saml integration
  12. Navigate your mouse to the Assignment tab, and click Assign > Assign to People.
  13. Next, select the listed users and click on Assign. After you assign the user click "Save and Go Back" and then click Done.assign vaultassign vaultassign vault
  14. Here, you can see the assignment status.vault
  15. Go to the Sign On tab and click on Identity Provider Metadata.vault data backup and recovery
  16. This will open up a new tab with some data. You must save this data in XML format on your own system. When you press CTRL + S, the data is downloaded in XML format.
    sso
  17. You can also use the Identity Provider metadata URL link and use it to configure SSO with Vault instead of downloading the metadata XML file. To do so, right-click on the Identity Provider metadata and choose the Copy link address from the list.SAML 2.0
  18. Now, login into your VAULT account.
  19. Hover your mouse over the Setting, go to the SSO Configuration section.
  20. Give a name for the SSO configuration and select how you would like to configure the metadata
    1. For Metadata URL, you need to enter the URL link that you captured earlier (Refer to Step 17)
    2. For Metadata File, browse for the metadata XML file you saved on your local machine and upload it. Click Activate.metadata
  21. SML configuration for OKTA is successfully configured in VAULT. Now, the user can log in to VAULT using SSO.
    Disable Login with Vault credentials
    Turn the slide toggle to the left to use SSO for login to your Vault application instead of the default username and password. This will allow you to access your Vault account via SSO.
  22. On your login screen, click Login with SSO.autorabit login
  23. Enter your Customer ID. You'll find your Customer ID under the Profile section in your Vault account.Customer IDCustomer ID
  24. Finally, click on Sign in.autorabit vault sign in
  25. This concludes SSO configuration with the Vault.
  26. Go to your OKTA dashboard page and click on the Vault icon to access the account.


Troubleshooting

Vault throws the following error when a user tries to log into Vault via SSO: "Your user is not available in the account with provided customer id. Please contact the administrator to create a user for you in the account"

The error usually occurs if:

  1. The user details are not assigned inside OKTA to login into the Vault application.
  2. The administrator has set the restrictAutoCreationOfUser to Yes inside Attribute Statements while configuring OKTA SSO. If it is set to Yes, the user is not permitted access to Vault if the account is not created in Vault. 

Was this article helpful?