Release Notes

Single Sign-On with Okta

Adding an Okta SAML integration for Single-Sign On

This guide will help you add an Okta app integration to enable single sign-on (SSO) for Veza, and manage teams and roles within your identity provider.

To enable SSO, you will need access to the Okta admin portal and have the administrator role in Veza.

Before creating the app integration in Okta, log in to Veza and configure your sign-in settings to retrieve the required SAML metadata. After creating the Okta app, return to Veza to update the Sign-in (Log-in) URL and SAML X.509 certificate and enable the configuration. This setup flow will be similar when enabling SSO for other identity providers.

Step 1: Create an Okta app integration

Log in to your Okta administration portal (for example, https://oktadomain-admin.okta.com).

Open Applications > Applications and click Create App Integration.

Creating an app

Enable SAML 2.0 for the protocol and click Next:

Selecting the SAML protocol

Give the app a name and click Next:

Naming the app

Step 2: Configure the app

To configure an Okta app you will need the Veza Single Sign On URL and Audience URI (SP Entity ID).

You can retrieve these by navigating to Veza Administration > Sign-in Settings, clicking Configure to enable SSO, and copying the values at the top of the wizard.

  • SSO URL: The Veza Single Sign on URL (ACS), e.g. https://your-org.vezacloud.com/auth/saml/acs. This is the Location= value in the downloaded SP Metadata.

  • SP Entity ID: The Veza Audience URI (Entity ID), for example https://your-org.vezacloud.com/auth/saml/metadata. This is the entityID= value in the downloaded SP Metadata URL.

In the App SAML Settings section, enter the Veza SSO URL and SP Entity ID.

  • For Name ID format, pick EmailAddress

  • For Application Username, pick "Okta Username"

These settings enable Veza to correctly identify and authenticate managers who are auto-assigned to Access Reviews.

Configuring the app

Note: If you want to enable Single Logout, you will need to return to this page and click on Show Advanced Settings after you have saved the configuration in Veza. You will need the populate the SLO URL, the SP Issuer (same as the SP Entity ID), and the SP Certificate, all available in the SP metadata.

Click Next to finish setting up the application. On the final step, click Okta customer and This is an internal app. Click Finish.

Finish app setup

After creating the application, you need to configure additional settings on the General tab:

  1. Return to the app's configuration page and select the General tab

  2. Click Edit if the settings are not already in edit mode

  3. Find the Default RelayState field in the application settings

  4. Enter a value of / (a single forward slash) to redirect users to the Veza homepage

  5. Click Save

Important: The Default RelayState parameter is required for IdP-initiated SSO to function correctly. Without this setting, users clicking the Veza tile in the Okta dashboard may encounter errors or failed redirects, even if all other configuration is correct.

Step 3: Get identity provider metadata for the Okta App

On the next screen, click View Setup Instructions:

Retrieving the SAML metadata for Veza from Okta

Copy the “Identity Provider Single Sign-On URL” and "Identity Provider Issuer" values, and download the certificate “X.509 Certificate” which you will need when configuring Veza:

Getting the certificate required to configure Veza

Step 4 (Optional): Enable identity provider managed roles

Veza can use group information from Okta to assign teams and roles when users first log in. Teams are assigned based on mappings in Sign-in Settings. To enable this, you can configure the Okta app to transmit a list of Okta groups the application user belongs to.

  1. Click Show Advanced Settings for the Okta app.

  2. Scroll to Group Attribute Statements (optional).

  3. Enter the attribute name for group values.

  4. Use Filter settings to specify Okta groups to include in the SAML claim.

Next, map these groups to teams and roles in Veza:

  1. Go to Veza Sign-in Settings > SSO > Configure SAML.

  2. Scroll down to the Role Mapping section.

  3. For SAML Attribute, enter groups.

  4. Click "Add" to create a mapping.

  5. Type in the name of the Okta group. Use the dropdown menus to pick a team and role to assign.

  6. Optionally, assign more team and role pairs for the group by clicking the "+" icon in the Actions column.

  7. Repeat this process to add a mapping for each Okta group that will have a team and role in Veza.

Step 5: Configure and enable Veza single sign-on

  1. Click the toggle to enable SSO under Administration > Sign-in Settings.

  2. Click to configure SSO. Enter the Okta sign-in URL and upload the signing certificate.

  3. Enable RSA-SHA-256 and SHA-256 as the Sign Request Algorithm and Digest. Enable HTTP-POST as the Protocol Binding.

  4. The icon chosen with the Button Logo URL appears on the Veza login page.

  5. Tick the box Enable IDP Initiated login. When enabled, app users can open Veza from their Okta dashboard without logging in. Make sure you've configured the Default RelayState as described in Step 2.

  6. For Issuer ID, use the Identity Provider Issuer value from Okta, e.g. http://www.okta.com/ackfl76549mHKsk9q5d7

  7. Add optional role mappings to assign users to Veza teams and roles based on Okta group assignments.

Step 6: Save and enable the connection

Click save on the configuration page to return to Sign-in Settings, and toggle the option to enable SSO. Visitors will now have the choice to Continue with SAML SSO, which will redirect to Okta for authentication.

Enabling Veza SSO
PreviousSAML Single Sign-OnNextSingle Sign-On with Microsoft Entra

Last updated

Was this helpful?