コンテンツにスキップ

Connecting SSO with Okta

This guide covers the process of connecting the Okta service as an identity provider to Wallarm, which acts as the service provider.

To fulfill steps, you need accounts with administration rights both for Wallarm and Okta.

Step 1 (Wallarm): Activate SSO service

By default, SSO service for authentication in Wallarm is not active, corresponding blocks are not visible in the Integrations section in Wallarm Console.

To activate the SSO service, contact the Wallarm support team. SSO with provisioning will be suggested by default:

  • No users will be able to authenticate with login and password after enabling. Request fallback account if necessary - it will retain login/password enter.

  • No users can be disabled or deleted from Wallarm side.

  • If you have multiple tenants, with Okta, you can use the tenant dependent permissions option, make decision on that together with Wallarm support.

Step 2 (Wallarm): Generate metadata

Extended security

If you want to or are required to use the additional security validation for your Okta-to-Wallarm connection, consider using the Extended security option available at this step.

You need Wallarm metadata to enter on the Okta side:

  1. In Wallarm Console, go to IntegrationsSSO SAML AUTHENTICATION and initiate the Okta SSO configuration.

    Integrations - SSO

  2. In the SSO configuration wizard, at the Send details step, overview the Wallarm metadata, that should be passed to the Okta service.

    Wallarm's metadata

    • Wallarm Entity ID is a unique application identifier generated by the Wallarm application for the identity provider.
    • Assertion Consumer Service URL (ACS URL) is the address on the Wallarm side of the application on which identity provider sends requests with the SamlResponse parameter.

  3. Copy metadata or save them as XML.

Step 3 (Okta): Configure application

To configure application in Okta:

  1. Log in to Okta as administrator.

  2. Click ApplicationsApplicationsCreate App Integration.

    Okta dashboard

  3. Set Sign‑on method → “SAML 2.0”.

  4. Proceed and in the Create SAML Integration wizard set general integration settings, such as App Name and optionally App logo.

    General settings

  5. Proceed and enter the Wallarm's metadata. Required fields:

    • Single sign‑on URL = Assertion Consumer Service URL (ACS URL) in Wallarm.

    • Audience URI (SP Entity ID) = Wallarm Entity ID in Wallarm.

      Configure SAML

  6. Optionally, set other parameters described in Okta documentation.

    SAML settings preview

  7. Proceed and set Are you a customer or partner to "I'm an Okta customer adding an internal app".

  8. Optionally, set other parameters.

    Feedback form

  9. Click Finish. You will be redirected to the page of the created application.

  10. To get Okta metadata, go to the Sign On tab, do one of the following:

    • Click Identity Provider metadata and save displayed data as XML.
    • Click View Setup instructions and copy displayed data.

  11. Provide Okta users with access to the created application by going to ApplicationsApplicationsAssign Users to App and assigning users to the application.

    Assigning users to the application

Step 4 (Okta): Configure provisioning

The provisioning is an automatic transfer of data from SAML SSO solution (Okta) to Wallarm: your Okta users and their group membership define access to Wallarm and permissions there; all user management is performed on Okta side.

For this to work, provide the attribute mapping:

  1. In Okta application, click ApplicationsApplicationsGeneralSAML Settings (Edit)Next.

  2. Map attribute statements:

    • email - user.email
    • first_name - user.firstName
    • last_name user.lastName

  3. Map user groups to wallarm_role:[role] where role is:

    • admin (Administrator)
    • analytic (Analyst)
    • api_developer (API Developer)
    • auditor (Read Only)
    • partner_admin (Global Administrator)
    • partner_analytic (Global Analyst)

    • partner_auditor (Global Read Only)

      See all role descriptions here.

    Integrations - SSO, mapping in Okta

  4. Save the changes.

Step 5 (Wallarm): Enter Okta metadata

  1. In Wallarm Console, in the SSO configuration wizard, proceed to the Upload metadata step.

  2. Do one of the following:

    • Upload Okta metadata as an XML file.

    • Enter metadata manually as follows:

      • Identity Provider Single Sign‑On URLIdentity provider SSO URL.
      • Identity Provider IssuerIdentity provider issuer.

      • X.509 CertificateX.509 Certificate field.

        Entering the metadata manually

  3. Complete SSO configuration wizard. Wallarm will test if data to/from your Okta can now be transferred.

Step 6 (Wallarm): Configure provisioning (SKIP)

For Okta, this step in Wallarm should be skipped.

SSO groups to Wallarm roles - mapping in Wallarm

Just go to the next step and complete SSO configuration wizard. Wallarm will test if data to/from your SAML SSO Solution can now be transferred.