Skip to main content

Okta Single Sign-On integration with SAML

Okta is an identity and access management platform. Its Single Sign-On (SSO) solution allows users to log in to a variety of systems using one centralized process.

This document explains how to configure Okta and Invicti Platform for Single Sign-On.

Configure Okta with SAML

There are three steps in this process:

Step 1: Add an application to Okta

  1. Navigate to Okta's Admin Console, then select Applications > Applications from the left-side menu.
  2. Click Create App Integration.
  3. From the Create a new app integration dialog, select SAML 2.0. Then click Next.
Creating SAML 2.0 app integration in Okta
  1. On the Create SAML Integration page, enter a name in the App name field. Invicti is used for this example.
  2. Select Next.
  3. In a new browser tab, log in to Invicti Platform and select Settings > SSO & Provisioning.
  4. Turn on the Enable SSO for your organization toggle.
  5. Select Okta from the SSO Provider drop-down list.
  6. Copy the SAML 2.0 Service URL and paste the URL into Okta's Single Sign-on URL field.
  7. Return to the Invicti browser tab and copy the Identifier URL. Paste it into Okta's Audience URI (SP Entity ID) field.
Okta SSO integration in Invicti PlatformOkta SSO integration in Invicti Platform
  1. Click Next to view the Feedback tab.
  2. Click Finish. The Invicti application's details appear.
  3. In the Sign On tab, click View SAML setup instructions. Okta opens a new browser tab.
  4. From the new tab, copy the URL from the Identity Provider Issuer and paste the URL to Invicti's IdP Identifier field.
  5. In the Okta tab, copy the URL from the Identity Provider Single Sign-On URL and paste it to Invicti's SAML 2.0 Endpoint field.
  6. In the Okta tab, copy the content from the X.509 Certificate field. Then switch to the Invicti tab and paste the URL to the X.509 Certificate field.
Configuration of SAML 2.0 Endpoint, IdP Identifier, X.509 Certificate in Invicti.Configuration of SAML 2.0 Endpoint, IdP Identifier, X.509 Certificate in Invicti.
  1. In Invicti, select the checkboxes for signed assertions, encrypted assertions, or sign requests as needed.
Additional security options in Invicti Platform including assertions and sign requestsAdditional security options in Invicti Platform including assertions and sign requests

warning

Selecting Require encrypted assertions requires applying additional settings in Okta. For instructions, refer to Configure encrypted assertions in Okta.

  1. If you enable any assertions or requests, a new section appears where you can generate a new certificate or upload an existing one.
Setup of additional security certificate in Invicti PlatformSetup of additional security certificate in Invicti Platform
  1. Use the Invicti's SSO Exemptions drop-down to select users who can log in to Invicti via password.
SSO Exemptions dropdown in Invicti PlatformSSO Exemptions dropdown in Invicti Platform
  1. Click Save.

Configure encrypted assertions in Okta

  1. From Okta's main menu, go to Applications > Applications > Invicti.
  2. Select the General tab and scroll to the SAML Settings section. Click Edit.
  3. Click Next, then Show Advanced Settings.
  4. Use the drop-down next to Assertion Encryption to select Encrypted.
  5. Click Browse Files next to Encryption Certificate and upload your Invicti certificate.
Configuring assertion encryption in Okta

Step 2: Add users to the application in Okta

  1. Select Directory > People from the left-side menu in Okta.
  2. Click the Add Person button to open a form.
  3. Fill out the form and click Save.
  4. Select Applications > Applications > Invicti from the menu.
  5. In the Assignments tab, click Assign > Assign to People.
  6. From the Assign Invicti to People dialog, select Assign next to the person you want to add.
  7. Select Save and Go Back.
  8. Click Done.

Users who exist in both Okta and Invicti Platform can now log in to Invicti via Okta - either by clicking the Invicti tile in the Okta dashboard (IdP-initiated) or by using the SSO option on the Invicti login page (SP-initiated). If a user doesn't yet have an Invicti account, see Step 3: Configure auto-provisioning.

Step 3: Configure auto-provisioning

Auto-provisioning automatically creates user accounts in Invicti when users log in via Okta for the first time. To enable it, you must first add attribute statements in Okta so that Invicti receives the user's name and email, then enable provisioning in Invicti.

Add attribute statements in Okta

  1. In Okta, open the Invicti application and select the Sign On tab.
  2. In the Attribute Statements section, click Show legacy configuration, then click Edit.
  3. Add the following attribute statements:
NameName formatValue
FirstNameUnspecifieduser.firstName
LastNameUnspecifieduser.lastName
EmailAddressUnspecifieduser.email
Attribute statements configuration in Okta showing firstName, lastName, and email mapped to Okta user properties.
  1. Click Save.

Enable auto-provisioning in Invicti

  1. In Invicti Platform, go to Settings > SSO & provisioning.
  2. In the Provisioning with SAML/SCIM section, set the Enable automatic provisioning for your organization toggle to Yes.
Enable automatic provisioning toggle in Invicti PlatformEnable automatic provisioning toggle in Invicti Platform
  1. In the Default access for new users and teams section, select a role from the Role drop-down to assign to newly provisioned users.
  2. Optionally, click Select collections to choose which collections new users can access. If none are selected, new users get access to all current and future collections by default.
Default access for new users showing role drop-down and select collections options.Default access for new users showing role drop-down and select collections options.
  1. Click Save.
info

For more information about SSO fields and auto-provisioning behavior, refer to the Single Sign-On configuration document.

Need help?

Invicti Support team is ready to provide you with technical help. Go to Help Center

Last updated on
Was this page useful?