Okta SAML Integration

This guide explains how to configure Okta as a SAML Service Provider (SP) to use Signia as an Identity Provider (IdP).

Overview

After completing this integration:

• Okta users will authenticate using Signia credentials
• Users can log in with WebAuthn/Passkeys (Face ID, Touch ID, security keys)
• Okta trusts Signia's SAML assertions for user authentication

Prerequisites

• Admin access to Okta (Super Admin or Org Admin)
• Admin access to Signia ID dashboard
• SAML enabled for your Signia tenant

If SAML is not enabled yet, see Enable SAML 2.0 Identity Provider.

---

Part 1: Configure Signia IdP

Step 1: Download Signia Metadata

1. Log in to Signia ID dashboard (https://signiaid.com)
2. Select your tenant from the dropdown
3. Navigate to SAML in the left sidebar
4. In the Identity Provider Information section:
   • Click Download Metadata button
   • Save as signia-metadata.xml

Alternative: Download directly from metadata URL:

curl https://<your-tenant>.signiaauth.com/saml/metadata -o signia-metadata.xml

Step 2: Note Okta Configuration Details

You'll need these values from Okta later. Keep this guide open while configuring Okta.

---

Part 2: Configure Okta SAML Application

Step 1: Create SAML Application in Okta

1. Log in to Okta Admin Console (https://<your-okta-domain>.okta.com/admin)
2. Navigate to Applications → Applications
3. Click Create App Integration
4. Select:
   • Sign-in method: SAML 2.0
   • Click Next

Step 2: General Settings

App name: Enter a descriptive name

• Example: "Signia SSO"

App logo (optional): Upload your company logo

Click Next

Step 3: Configure SAML Settings

General SAML Settings

Single sign on URL:

https://<your-tenant>.signiaauth.com/saml/sso

• ✅ Check "Use this for Recipient URL and Destination URL"

Audience URI (SP Entity ID):

https://<your-okta-domain>.okta.com/saml2/service-provider/<app-id>

• You'll get this after saving the app (see Step 5)
• For now, use a placeholder: https://temp.okta.com

Default RelayState (optional): Leave blank

Name ID format: EmailAddress

Application username: Email

Attribute Statements

Add these attribute mappings:

Name	Name format	Value
email	Unspecified	user.email
firstName	Unspecified	user.firstName
lastName	Unspecified	user.lastName

Group Attribute Statements (optional)

Leave blank unless you need group-based access control.

Step 4: Advanced Settings

Response: Signed

Assertion Signature: Signed

Signature Algorithm: RSA-SHA256

Digest Algorithm: SHA256

Assertion Encryption: Unencrypted

Click Next

Step 5: Feedback

Are you a customer or partner?: Select "I'm an Okta customer adding an internal app"

App type: Select "This is an internal app that we have created"

Click Finish

Step 6: Get Okta SP Entity ID

After creating the app:

1. Navigate to the Sign On tab
2. Under SAML 2.0, find Metadata URL
3. Copy the Entity ID from the metadata or note it:

   https://<your-okta-domain>.okta.com/saml2/service-provider/<app-id>

Note the app-id - you'll need this for Signia configuration.

Step 7: Get Okta ACS URL

The ACS URL follows this format:

https://<your-okta-domain>.okta.com/sso/saml2/<app-id>

Verify: Navigate to Sign On tab → View Setup Instructions to see the exact URLs.

---

Part 3: Configure Signia Service Provider

Step 1: Add Service Provider in Signia

1. Log in to Signia ID dashboard
2. Navigate to SAML → Service Providers
3. Click Add Service Provider

Step 2: Enter Okta Details

Name: Okta Production (or your preferred name)

Entity ID:

https://<your-okta-domain>.okta.com/saml2/service-provider/<app-id>

ACS URL:

https://<your-okta-domain>.okta.com/sso/saml2/<app-id>

NameID Format: Email Address

Enabled: ✓ (checked)

Step 3: Save Service Provider

Click Create Service Provider

The Service Provider will appear in the list.

---

Part 4: Upload Signia Metadata to Okta

Step 1: Navigate to Okta SAML Settings

1. In Okta Admin Console
2. Navigate to Applications → Applications
3. Click on your SAML app (e.g., "Signia SSO")
4. Click Sign On tab

Step 2: Edit SAML Settings

1. Scroll to SAML 2.0
2. Click Edit

Step 3: Upload Metadata

Identity Provider metadata: Click Browse files...

• Select signia-metadata.xml (downloaded in Part 1)
• Click Upload

Okta will auto-populate:

• Identity Provider Single Sign-On URL
• Identity Provider Issuer
• X.509 Certificate

Step 4: Verify Auto-Populated Fields

Identity Provider Single Sign-On URL:

https://<your-tenant>.signiaauth.com/saml/sso

Identity Provider Issuer:

https://<your-tenant>.signiaauth.com

X.509 Certificate: Should show certificate details

Step 5: Save Settings

Click Save

---

Part 5: Assign Users

Step 1: Navigate to Assignments

1. In your Okta SAML app
2. Click Assignments tab

Step 2: Assign Users or Groups

Assign to People:

1. Click Assign → Assign to People
2. Search for users
3. Click Assign next to each user
4. Click Save and Go Back
5. Click Done

Assign to Groups (recommended for bulk assignment):

1. Click Assign → Assign to Groups
2. Search for groups (e.g., "Everyone", "Engineering")
3. Click Assign next to each group
4. Click Done

---

Part 6: Test SSO

Step 1: Test from Okta Dashboard

1. Log in to Okta as a test user
2. Navigate to your dashboard
3. Click on the Signia SSO app tile

Step 2: Verify Redirect

You should be redirected to:

https://<your-tenant>.signiaauth.com/saml/sso?SAMLRequest=...

Step 3: Authenticate with Signia

1. Signia displays authentication UI
2. Authenticate with:
   • WebAuthn/Passkey (Face ID, Touch ID, security key)
   • Or email/password (if enabled)

Step 4: Verify Success

After authentication:

• You're redirected back to Okta
• You're logged in to Okta (session created)
• You can access Okta applications

Step 5: Check User Profile

In Okta:

1. Click your name (top right)
2. Click Settings
3. Verify profile attributes are populated:
   • Email
   • First Name
   • Last Name

---

Troubleshooting

"SAML assertion audience mismatch"

Cause: Entity ID mismatch between Okta and Signia

Solution:

1. Check Okta Audience URI (SP Entity ID)
2. Compare with Entity ID in Signia Service Provider configuration
3. They must match exactly (case-sensitive)

"Unable to sign in"

Cause 1: User not assigned to SAML app

Solution:

1. Navigate to Assignments tab
2. Verify user is assigned
3. Assign if missing

Cause 2: Network connectivity

Solution:

• Check Okta status page: https://status.okta.com
• Verify Signia SSO URL is reachable from your network

"Invalid signature"

Cause: Certificate mismatch or clock skew

Solution:

1. Re-upload Signia metadata to Okta
2. Verify certificate fingerprint matches dashboard
3. Check system clock synchronization:

   # Both systems should be within 5 minutes
   date -u

"Error: SAML transaction expired"

Cause: User took >10 minutes to authenticate

Solution: Retry SSO flow and complete authentication promptly

---

Advanced Configuration

Just-in-Time (JIT) Provisioning

Automatically create Okta users on first SSO login.

1. Navigate to Sign On tab
2. Scroll to Credentials Details
3. Click Edit
4. Enable Just-in-Time (JIT) Provisioning
5. Configure:
   • Create users: ✓
   • Update user attributes: ✓
   • Deactivate users: ✓ (optional)
6. Click Save

Force Re-Authentication

Force users to authenticate even if they have an active Signia session.

1. In Signia dashboard
2. Edit the Okta Service Provider
3. Set Force Authentication: ✓ (future feature)

Note: Okta may send ForceAuthn=true in AuthnRequest. Signia maps this to OIDC prompt=login.

Custom Attribute Mapping

Map additional user attributes to Okta profile.

In Signia (future feature):

1. Navigate to Service Provider configuration
2. Add attribute mappings:
   • department → user.department
   • phone → user.mobilePhone

In Okta:

1. Navigate to Sign On tab → Edit
2. Add attribute statements in SAML settings
3. Map to Okta user profile fields

---

Security Recommendations

Enable Multi-Factor Authentication

Add additional security layer beyond Signia authentication.

1. Navigate to Security → Multifactor
2. Enable MFA policies
3. Configure factor types (SMS, Okta Verify, etc.)

Monitor SSO Activity

Track authentication events for security and compliance.

1. Navigate to Reports → System Log
2. Filter by:
   • Event Type: user.authentication.sso
   • Application: "Signia SSO"

Certificate Rotation

When Signia certificate expires:

1. Download new metadata from Signia
2. Upload to Okta (Sign On tab → Edit → Upload metadata)
3. Verify new certificate fingerprint
4. Test SSO flow

---

Next Steps

• Azure AD SAML Integration
• AWS Cognito SAML Integration
• SAML Troubleshooting Guide

Related Documentation

• Enable SAML 2.0 Identity Provider
• Core Concepts: Multi-Tenancy