Single Sign-On with Okta
Adding an Okta SAML integration for Single-Sign On
This guide will help you add an Okta app integration to enable single sign-on (SSO) for Veza, and manage teams and roles within your identity provider.
To enable SSO, you will need access to the Okta admin portal and have the administrator
role in Veza.
Before creating the app integration in Okta, log in to Veza and configure your sign-in settings to retrieve the required SAML metadata. After creating the Okta app, return to Veza to update the Sign-in (Log-in) URL and SAML X.509 certificate and enable the configuration. This setup flow will be similar when enabling SSO for other identity providers.
Step 1: Create an Okta app integration
Log in to your Okta administration portal (for example, https://oktadomain-admin.okta.com
).
Open Applications > Applications and click Create App Integration.
Enable SAML 2.0 for the protocol and click Next:
Give the app a name and click Next:
Step 2: Configure the app
To configure an Okta app you will need the Veza Single Sign On URL and Audience URI (SP Entity ID).
You can retrieve these by navigating to Veza Administration > Sign-in Settings, clicking Configure to enable SSO, and copying the values at the top of the wizard.
SSO URL: The Veza Single Sign on URL (ACS), e.g.
https://your-org.vezacloud.com/auth/saml/acs
. This is theLocation=
value in the downloaded SP Metadata.SP Entity ID: The Veza Audience URI (Entity ID), for example
https://your-org.vezacloud.com/auth/saml/metadata
. This is theentityID=
value in the downloaded SP Metadata URL.
In the App SAML Settings section, enter the Veza SSO URL and SP Entity ID.
For Name ID format, pick
EmailAddress
For Application Username, pick "Okta Username"
These settings enable Veza to correctly identify and authenticate managers who are auto-assigned to Access Reviews.
Note: If you want to enable Single Logout, you will need to return to this page and click on Show Advanced Settings after you have saved the configuration in Veza. You will need the populate the
SLO URL
, theSP Issuer
(same as the SP Entity ID), and theSP Certificate
, all available in the SP metadata.
Click Next to finish setting up the application. On the final step, click Okta customer and This is an internal app. Click Finish.
Step 3: Get identity provider metadata for the Okta App
On the next screen, click View Setup Instructions:
Copy the “Identity Provider Single Sign-On URL” and "Identity Provider Issuer" values, and download the certificate “X.509 Certificate” which you will need when configuring Veza:
Step 4 (Optional): Enable identity provider managed roles
Veza can use group information sent by Okta during login to assign roles based on mappings in Sign-in Settings. To enable this:
Option 1: In Veza, map roles to groups in a Group Attribute Statement on the Okta App
This method will configure the Okta app to transmit a list of Okta groups the application user belongs to. You can map these groups to Veza roles from the Veza UI:
Click Show Advanced Settings for the Okta app.
Scroll to Group Attribute Statements (optional).
Enter the attribute name for group values.
Use Filter settings to specify Okta groups to include in the SAML claim.
Update the Role Mapping Attribute in Veza Sign-in Settings > Configure SSO to match the statement name in Okta, and map Okta group names to Veza roles.
Option 2: In Okta, map groups to Veza roles:
Use this method if you want to fully manage teams and roles in Okta. The Okta app will transmit a
groups
attribute statement with values that match the format expected by Veza. This requires no additional role mapping in Veza.See Group Mapping for Okta Single Sign-On for step-by-step instructions.
Add a custom attribute for Veza app users to contain their team and role assignment.
Configure the app to include a SAML
groups
attribute statement.Assign groups to the Veza application and specify each group's role in the format
{Team SSO Alias}:{role name}
.
Step 5: Configure and enable Veza single sign-on
Click the toggle to enable SSO under Administration > Sign-in Settings.
Click to configure SSO. Enter the Okta sign-in URL and upload the signing certificate.
Enable
RSA-SHA-256
andSHA-256
as the Sign Request Algorithm and Digest. EnableHTTP-POST
as the Protocol Binding.The icon chosen with the Button Logo URL appears on the Veza login page.
Tick the box Enable IDP Initiated login. When enabled, app users can open Veza from their Okta dashboard without logging in.
For Issuer ID, use the Identity Provider Issuer value from Okta, e.g.
http://www.okta.com/ackfl76549mHKsk9q5d7
Add optional role mappings to assign users to Veza teams and roles based on Okta group assignments.
Step 6: Save and enable the connection
Click save on the configuration page to return to Sign-in Settings, and toggle the option to enable SSO. Visitors will now have the choice to Continue with SAML SSO, which will redirect to Okta for authentication.
Last updated