User Guide
Release Notes

Single Sign-On with Okta

Adding an Okta SAML integration for Single-Sign On

This guide will help you add an Okta app integration to enable single sign-on (SSO) for Veza, and manage teams and roles within your identity provider.

To enable SSO, you will need access to the Okta admin portal and have the administrator role in Veza.

Before creating the app integration in Okta, log in to Veza and configure your sign-in settings to retrieve the required SAML metadata. After creating the Okta app, return to Veza to update the Sign-in (Log-in) URL and SAML X.509 certificate and enable the configuration. This setup flow will be similar when enabling SSO for other identity providers.

Step 1: Create an Okta app integration

Log in to your Okta administration portal (for example, https://oktadomain-admin.okta.com).

Open Applications > Applications and click Create App Integration.

Enable SAML 2.0 for the protocol and click Next:

Give the app a name and click Next:

Step 2: Configure the app

To configure an Okta app you will need the Veza Single Sign On URL and Audience URI (SP Entity ID).

You can retrieve these by navigating to Veza Administration > Sign-in Settings, clicking Configure to enable SSO, and copying the values at the top of the wizard.

  • SSO URL: The Veza Single Sign on URL (ACS), e.g. https://your-org.vezacloud.com/auth/saml/acs. This is the Location= value in the downloaded SP Metadata.

  • SP Entity ID: The Veza Audience URI (Entity ID), for example https://your-org.vezacloud.com/auth/saml/metadata. This is the entityID= value in the downloaded SP Metadata URL.

In the App SAML Settings section, enter the Veza SSO URL and SP Entity ID.

  • For Name ID format, pick EmailAddress

  • For Application Username, pick "Okta Username"

These settings enable Veza to correctly identify and authenticate managers who are auto-assigned to Access Reviews.

Note: If you want to enable Single Logout, you will need to return to this page and click on Show Advanced Settings after you have saved the configuration in Veza. You will need the populate the SLO URL, the SP Issuer (same as the SP Entity ID), and the SP Certificate, all available in the SP metadata.

Click Next to finish setting up the application. On the final step, click Okta customer and This is an internal app. Click Finish.

Step 3: Get identity provider metadata for the Okta App

On the next screen, click View Setup Instructions:

Copy the “Identity Provider Single Sign-On URL” and "Identity Provider Issuer" values, and download the certificate “X.509 Certificate” which you will need when configuring Veza:

Step 4 (Optional): Enable identity provider managed roles

Veza can use group information sent by Okta during login to assign roles based on mappings in Sign-in Settings. To enable this:

  • Option 1: In Veza, map roles to groups in a Group Attribute Statement on the Okta App

    This method will configure the Okta app to transmit a list of Okta groups the application user belongs to. You can map these groups to Veza roles from the Veza UI:

    1. Click Show Advanced Settings for the Okta app.

    2. Scroll to Group Attribute Statements (optional).

    3. Enter the attribute name for group values.

    4. Use Filter settings to specify Okta groups to include in the SAML claim.

    5. Update the Role Mapping Attribute in Veza Sign-in Settings > Configure SSO to match the statement name in Okta, and map Okta group names to Veza roles.

  • Option 2: In Okta, map groups to Veza roles:

    Use this method if you want to fully manage teams and roles in Okta. The Okta app will transmit a groups attribute statement with values that match the format expected by Veza. This requires no additional role mapping in Veza.

    See Group Mapping for Okta Single Sign-On for step-by-step instructions.

    1. Add a custom attribute for Veza app users to contain their team and role assignment.

    2. Configure the app to include a SAML groups attribute statement.

    3. Assign groups to the Veza application and specify each group's role in the format {Team SSO Alias}:{role name}.

Step 5: Configure and enable Veza single sign-on

  1. Click the toggle to enable SSO under Administration > Sign-in Settings.

  2. Click to configure SSO. Enter the Okta sign-in URL and upload the signing certificate.

  3. Enable RSA-SHA-256 and SHA-256 as the Sign Request Algorithm and Digest. Enable HTTP-POST as the Protocol Binding.

  4. The icon chosen with the Button Logo URL appears on the Veza login page.

  5. Tick the box Enable IDP Initiated login. When enabled, app users can open Veza from their Okta dashboard without logging in.

  6. For Issuer ID, use the Identity Provider Issuer value from Okta, e.g. http://www.okta.com/ackfl76549mHKsk9q5d7

  7. Add optional role mappings to assign users to Veza teams and roles based on Okta group assignments.

Step 6: Save and enable the connection

Click save on the configuration page to return to Sign-in Settings, and toggle the option to enable SSO. Visitors will now have the choice to Continue with SAML SSO, which will redirect to Okta for authentication.

PreviousSAML Migration FAQNextGroup Mapping for Okta Single Sign-On

Last updated