SSO for OKTA
This article explains how to configure Single Sign-On (SSO) in Vault using Okta as the SAML 2.0 Identity Provider. When SSO is enabled, users are redirected to Okta for authentication and, upon success, are taken to the Vault Dashboard.
Add the Vault Application to Okta
Steps:
Sign in to Okta as an admin. If you don’t have an Okta org, sign up at https://developer.okta.com/signup/.
Go to Applications > Add Application.
Click Create App Integration.
Choose SAML 2.0 and click Next.
In General Settings:
Name: Vault
Upload Vault logo
Click Next
In the Configure SAML tab:
Single sign on URL:
<instanceURL>/ARVault/saml/SSO
e.g.:https://vault-qa.autorabit.com/ARVault/saml/SSO
Audience URI (SP Entity ID):
<instanceURL>/ARVault/saml/metadata
Under Attribute Statements:
firstname
user.firstName
lastname
user.lastName
customerid
Vault customer ID
restrictAutoCreationOfUser
Yes
or No
Note: Customer ID is available under the Profile section in your Vault account.
Click Next, then choose:
"I'm an Okta customer adding an internal app"
"This is an internal application that we created"
Click Finish
Go to the Assignments tab:
Click Assign > Assign to People
Assign users, click Save and Go Back, then Done
Go to the Sign On tab and click Identity Provider Metadata.
Save the file as XML or copy the metadata URL.
Configure SSO in Vault
Log in to Vault
Navigate to Settings > SSO Configuration
Enter a name for the config and select:
Metadata URL (paste the copied link), or
Metadata File (upload the XML file)
Click Activate
You may disable login with Vault credentials by toggling off that option.
Logging in Using SSO
On the Vault login screen, click Login with SSO
Enter your Customer ID
Click Sign in
You can also log in directly from your Okta dashboard by clicking on the Vault application icon.
Troubleshooting
Error: "Your user is not available in the account with provided customer id. Please contact the administrator to create a user for you in the account."
Causes:
The user is not assigned to the Vault app in Okta.
restrictAutoCreationOfUser
is set to Yes and the user has not been pre-created in Vault.
Last updated
Was this helpful?