# Connecting SSO with Okta This guide covers the process of connecting the [Okta](https://www.okta.com/) service as an identity provider to Wallarm, which acts as the service provider. To fulfill steps, you need accounts with administration rights both for Wallarm and Okta. ## Step 1 (Wallarm): Activate SSO service By default, SSO service for authentication in Wallarm is not active, corresponding blocks are not visible in the **Integrations** section in Wallarm Console. To activate the SSO service, contact the [Wallarm support team](https://support.wallarm.com/). SSO with [provisioning](#step-4-okta-configure-provisioning) will be suggested by default: * No users will be able to authenticate with login and password after enabling. Request fallback account if necessary - it will retain login/password enter. * No users can be disabled or deleted from Wallarm side. * If you have [multiple tenants](https://docs.wallarm.com/installation/multi-tenant/overview.md), with Okta, you can use the [tenant dependent permissions](https://docs.wallarm.com/admin-en/configuration-guides/sso/intro.md#tenant-dependent-permissions) option, make decision on that together with Wallarm support. ## Step 2 (Wallarm): Generate metadata !!! info "Extended security" If you want to or are required to use the additional security validation for your Okta-to-Wallarm connection, consider using the [Extended security](https://docs.wallarm.com/admin-en/configuration-guides/sso/setup.md#extended-security) option available at this step. You need Wallarm metadata to enter on the Okta side: 1. In Wallarm Console, go to **Integrations** → **SSO SAML AUTHENTICATION** and initiate the **Okta SSO** configuration. ![Integrations - SSO](https://docs.wallarm.com/images/admin-guides/configuration-guides/sso/sso-integration-add.png) 1. In the SSO configuration wizard, at the **Send details** step, overview the Wallarm metadata, that should be passed to the Okta service. ![Wallarm's metadata](https://docs.wallarm.com/images/admin-guides/configuration-guides/sso/okta/sp-metadata.png) * **Wallarm Entity ID** is a unique application identifier generated by the Wallarm application for the identity provider. * **Assertion Consumer Service URL (ACS URL)** is the address on the Wallarm side of the application on which identity provider sends requests with the SamlResponse parameter. 1. Copy metadata or save them as XML. ## Step 3 (Okta): Configure application To configure application in Okta: 1. Log in to Okta as administrator. 1. Click **Applications** → **Applications** → **Create App Integration**. ![Okta dashboard](https://docs.wallarm.com/images/admin-guides/configuration-guides/sso/okta/dashboard.png) 1. Set **Sign‑on method** → “SAML 2.0”. 1. Proceed and in the **Create SAML Integration** wizard set general integration settings, such as **App Name** and optionally **App logo**. ![General settings](https://docs.wallarm.com/images/admin-guides/configuration-guides/sso/okta/wizard-general.png) 1. Proceed and enter the Wallarm's metadata. Required fields: * **Single sign‑on URL** = **Assertion Consumer Service URL (ACS URL)** in Wallarm. * **Audience URI (SP Entity ID)** = **Wallarm Entity ID** in Wallarm. ![Configure SAML](https://docs.wallarm.com/images/admin-guides/configuration-guides/sso/okta/wizard-saml.png) 1. Optionally, set other parameters described in [Okta documentation](https://help.okta.com/en/prod/Content/Topics/Apps/Apps_App_Integration_Wizard.htm). ![SAML settings preview](https://docs.wallarm.com/images/admin-guides/configuration-guides/sso/okta/wizard-saml-preview.png) 1. Proceed and set **Are you a customer or partner** to "I'm an Okta customer adding an internal app". 1. Optionally, set other parameters. ![Feedback form](https://docs.wallarm.com/images/admin-guides/configuration-guides/sso/okta/wizard-feedback.png) 1. Click **Finish**. You will be redirected to the page of the created application. 1. To get Okta metadata, go to the **Sign On** tab, do one of the following: * Click **Identity Provider metadata** and save displayed data as XML. * Click **View Setup instructions** and copy displayed data. 1. Provide Okta users with access to the created application by going to **Applications** → **Applications** → **Assign Users to App** and assigning users to the application. ![Assigning users to the application](https://docs.wallarm.com/images/admin-guides/configuration-guides/sso/okta/assignments.png) ## Step 4 (Okta): Configure provisioning The **provisioning** is an automatic transfer of data from SAML SSO solution (Okta) to Wallarm: your Okta users and their group membership define access to Wallarm and permissions there; all user management is performed on Okta side. For this to work, provide the attribute mapping: 1. In Okta application, click **Applications** → **Applications** → **General** → **SAML Settings (Edit)** → **Next**. 1. Map attribute statements: * email - user.email * first_name - user.firstName * last_name user.lastName 1. Map user groups to `wallarm_role:[role]` where `role` is: * `admin` (**Administrator**) * `analytic` (**Analyst**) * `api_developer` (**API Developer**) * `auditor` (**Read Only**) * `partner_admin` (**Global Administrator**) * `partner_analytic` (**Global Analyst**) * `partner_auditor` (**Global Read Only**) See all role descriptions [here](https://docs.wallarm.com/user-guides/settings/users.md#user-roles). ![Integrations - SSO, mapping in Okta](https://docs.wallarm.com/images/admin-guides/configuration-guides/sso/okta/wallarm-sso-okta-mapping.png) 1. Save the changes. ## Step 5 (Wallarm): Enter Okta metadata 1. In Wallarm Console, in the SSO configuration wizard, proceed to the **Upload metadata** step. 1. Do one of the following: * Upload Okta metadata as an XML file. * Enter metadata manually as follows: * **Identity Provider Single Sign‑On URL** → **Identity provider SSO URL**. * **Identity Provider Issuer** → **Identity provider issuer**. * **X.509 Certificate** → **X.509 Certificate** field. ![Entering the metadata manually](https://docs.wallarm.com/images/admin-guides/configuration-guides/sso/okta/transfer-metadata-manually.png) 1. Complete SSO configuration wizard. Wallarm will test if data to/from your Okta can now be transferred. ## Step 6 (Wallarm): Configure provisioning (SKIP) For Okta, this step in Wallarm should be skipped. ![SSO groups to Wallarm roles - mapping in Wallarm](https://docs.wallarm.com/images/admin-guides/configuration-guides/sso/sso-mapping-in-wallarm.png) Just go to the next step and complete SSO configuration wizard. Wallarm will test if data to/from your SAML SSO Solution can now be transferred.