Federate with Okta using SAML

CyberArk supports single sign-on (SSO) from Okta via SAML. This topic describes how to integrate CyberArk Identity with Okta for SSO. CyberArk Identity supports both Identity Provider and Service Provider-initiated SSO.

Add Okta as an external IdP

Step 1: Configure settings in CyberArk

  1. Go to Settings > Users > External Identity Providers, then click Add.

  2. Enter a unique external Okta IdP name. For example, Okta Federation.

  3. Go to the Routing Rules tab and add a unique domain name to the Federation Domains table.

    The federated domain is likely your organization's email domain.

    The domain name must match the AAD domain that you are integrating with. For example, if you sign in to Azure AD as user@example.com, then add example.com under Federation Domains. By adding this domain, when users sign in to CyberArk Identity (a SP-initiated flow) it detects the domain suffix of the user and directs to Azure AD (the IdP) for authentication.

Step 2: Configure group mappings in CyberArk

  1. Click Group Mappings, then click Add to create a mapping of the Okta group.

  2. Enter the Okta group name in the Group Attribute Value field, then enter a CyberArk group name in the Group Name field.

    The group attribute value should match the name in Okta. The group name is used for assigning to roles or apps in CyberArk Identity. This maps the IdP roles (information you should have received from the external IdP) to your groups. Each group needs to be a member of at least one role in your tenant.

Do not click Inbound Metadata. Skip to Outbound Metadata.

Step 3: Configure outbound metadata in CyberArk

  1. Click Outbound Metadata to provide SAML settings in Okta.

  2. Click Option 3: Manual Configuration.

  3. Copy the Service Provider Authentication Response URL and the subject of the Service Provider Certificate Authority and paste in Notepad for later use.

    Do not click Save.

Step 4: Configure a SAML application in Okta

  1. Open a new browser window and go to your Okta account to add a SAML 2.0 app in Okta.

  2. Go to Applications > Applications, click Create App Integration, then click SAML 2.0, and then click Next.

  3. Enter the app name CyberArk Identity, (optional) upload the CyberArk logo, then click Next.

  4. Using the text in Notepad, do the following:

    • Copy the Service Provider Authentication Response URL and paste it in the Single sign on URL text field.

    • Copy the Service Provider Certificate Authority and paste it in the Audience URI text field.

  5. In the Attribute Statements, enter the following:

    Name Value

    UserPrincipalName

    user.login

    DisplayName

    user.displayName

    LoginName

    user.login

    mobileNumber

    user.mobilePhone

    emailAddress

    user.email

  6. In the Group Attributes Statement, enter the following and then click Next.

    Name Filter

    Group

    Starts with*

    CyberArkUsers

    *Starts with is the default but another option can be selected.

    The Attribute Group value should match the Okta group name to allow access to apps on CyberArk Identity. For example, Okta group 1 is allowed access to app A but not app B; however, Okta group 2 is allowed access to app B.

  7. Click I'm an Okta customer adding an internal app and then click Finish.

Step 5: Assign groups and people in Okta

  1. Click Assignments to assign the app to the people and groups needing access to CyberArk Identity tenant.

Step 6: Configure inbound metadata

  1. While in Okta, go to Applications, then open the SAML app you created.

  2. Click Sign On, then right-click on the Identity Provider Metadata link and copy the URL.

  3. Return to the CyberArk Admin Portal, then click Inbound Metadata, then paste the url in the Option 1: Upload IDP configuration from URL text box, and then click Save.

Step 7: Configure login hint in CyberArk Identity

This setting automatically enters the username in the Okta login page when you perform a SP-initiated sign on from CyberArk. You can avoid retyping the username in CyberArk and in the Okta sign on with this setting.

This setting is only supported on the Okta Identity Engine and not on the Okta Classic Engine. Check the footer on any page in the Admin Console to confirm the solution you're using. The version number is appended with an E for Engine orgs and C for Classic orgs.

  1. Edit the saved configuration External IdP setting for Okta and navigate to Inbound Metadata.

  2. Select Option 3: Manual Configuration.

  3. Add ?login_hint=[username]from the end of the Identity Provider Login URL and click Save.

Step 8: Allowing API calls from Okta

  1. Go to SettingsAuthentication > Security SettingsAPI SecurityAllowed Domain and click Edit.

  2. Enter the URL of the referring IDP. For example, example.okta.com.

    While wildcards are supported (*.okta.com), it is best practice to list the specific Okta tenant.

  3. Click Add, then click Save.

Step 9: Testing the configuration

  1. Go to CyberArk Identity and sign in to the Okta End-User Dashboard.

  2. Click on the app tile to log in to CyberArk Identity tenant.

  1. Go to CyberArk Identity and sign in with your Okta username.

  2. CyberArk Identity redirects to Okta for authentication.

  3. Once authenticated with Okta, you will be redirected back to CyberArk Identity.