Okta — Integration

Overview

Enterprise SSO via SAML or OIDC with group-to-role mapping, just-in-time (JIT) user provisioning, and optional SCIM lifecycle sync.

Capabilities

• SAML 2.0 and OpenID Connect sign-in flows

• Group/claim → role mapping for RBAC

• Just-in-time user provisioning on first login

• Optional SCIM 2.0 user & group lifecycle sync

• Per-tenant sign-in policies and MFA enforcement

• Metadata import (IdP XML) and JWKS rotation handling

1. 1

   Step 1

   In Okta, create an app integration (SAML or OIDC). For OIDC, choose Web app; for SAML, download the IdP metadata XML.

   Back to top
2. 2

   Step 2

   In AccessGuard → Settings → SSO, click **Add Provider** and select Okta.

   Back to top
3. 3

   Step 3

   Paste the OIDC details (Issuer, Client ID/Secret) or upload SAML IdP metadata.

   Back to top
4. 4

   Step 4

   Define claim/group → role mappings (e.g., okta.groups: ["admins"] → role: admin).

   Back to top
5. 5

   Step 5

   Enable JIT provisioning and, if desired, configure SCIM with a bearer token.

   Back to top
6. 6

   Step 6

   Save and run a test login; verify role assignment and MFA policy.

   Back to top

Limitations

• SCIM requires Okta Lifecycle Management or equivalent licensing.

• SAML NameID/attributes must match your chosen unique identifier (email or external_id).

• Clock skew beyond ±5 minutes can break assertions; ensure NTP sync.

FAQs

Pricing