# SSO - OKTA

## Overview

To configure **Okta** as Identity Provider (**IdP**) and **Xygeni** as Service Provider (**SP**), you should first contact Xygeni to request data needed to properly configure the SAML integration between Okta and Xygeni.

You must provide the following information to Xygeni:

* **IDP Sign on URL**: URL of the Identity Provider (or IDP, Okta in this case) against which the Xygeni user is going to authenticate
* **Entity ID or Issuer**: Globally unique name for an Identity Provider or a Service Provider, is a URI used to identify the issuer of a SAML request, response, or assertion
* **URL Metadata**: URL Metadata is the discovery information that the IDP exposes, to securely interoperate
* **Signing Certificate** : Allows the Service Provider (or SP, Xygeni in this case) to verify the authenticity of the SAML response

Once submitted above info to Xygeni, you will receive some information back needed to properly configure the integration. This information will contain:

* **SP Single Sign on URL**: SP's URL that processes the SAML response, verifies and validates it.

## How to obtain the information to be sent to Xygeni

### Create an Okta App

Login to Okta, go to *Applications* and click on *Create App Integration*

<figure><img src="/files/rllNnwT70CMuKgVtAA1b" alt="" width="563"><figcaption></figcaption></figure>

A new window will open to specify the *Sign-in method*. Choose the *SAML 2.0 option* and click *Next*.

<figure><img src="/files/8iFazMj23RZvt7KbMBBx" alt="" width="563"><figcaption></figcaption></figure>

Okta will redirect you to the workflow to create your SAML integration.

Under ***General Settings***, you must first specify **App Name** (choose whatever name you prefer to identify your app integration, in our example we will use "xy1" )

<figure><img src="/files/NczSpgdwDo1kD1yP6Qvb" alt="" width="563"><figcaption></figcaption></figure>

Upon click on *Next*, the **Configure SAML** tab will appear.

There are several frames into this section. First is **A - SAML Settings**

* **Single sign-on URL** : Location where the SAML assertion is sent with a HTTP POST. This is often referred to as the *SAML Assertion Consumer Service (ACS)* URL for your application.

This value will be provided by Xygeni and it will follow this pattern <https://api.xygeni.io/sso/details/\\[xygeni\\_customer\\_id]-\\[okta\\_app\\_name>]

In our case, let's say that customer id = 20, then the value would be <https://api.xygeni.io/sso/details/20-xy1>

Although the exact value for this field will be supplied by Xygeni, at this moment you can enter a dummy value such as above.

* **Audience URI (SP Entity ID)** : The application-defined unique identifier that is the intended audience of the SAML assertion. This is most often the *SP Entity ID* of your application.

This value will be provided by Xygeni and it will follow this pattern \[xygeni\_customer\_id]-\[okta\_app\_name]

In our case, let's say that customer id = 20, so the value would be 20-xy1 Although the exact value for this field will be supplied by Xygeni, at this moment you can enter a dummy value such as above.

<figure><img src="/files/kKK4kH0pMR015VSOSR5l" alt="" width="563"><figcaption></figcaption></figure>

Scroll down and click on Next. Then, a new window will appear asking whether you are a customer or partner. Select “*I’m an Okta customer adding an internal app*” option and click *Finish*.

<figure><img src="/files/dEGEMkZ1kbUex4ALu7Ot" alt="" width="563"><figcaption></figcaption></figure>

### Gathering of info to send to Xygeni

Select the app just created and click on *Sign on* tab

<figure><img src="/files/G160uDoBK9Kz087WCJhK" alt="" width="450"><figcaption></figcaption></figure>

Click on *More details* and you will find some useful information to be provided to Xygeni.

<figure><img src="/files/i8CSgjlQK2xFDyRbds0b" alt="" width="455"><figcaption></figcaption></figure>

Copy the above information, download the Signing Certificate and send it to Xygeni.

## Assign people/groups to Okta application

Do not forget to assign people to your just created integration app. To do it, select the *Assignments* tab and include people/groups as needed.

<figure><img src="/files/KrJlSO0uvvuIt4G6sISJ" alt="" width="451"><figcaption></figcaption></figure>

{% hint style="info" %}
IMPORTANT: The username of Okta must already be an existing Xygeni user !!
{% endhint %}

## Sending info to Xygeni and final steps

Once that you have sent to Xygeni the above information, Xygeni will send back to you :

**SP Single Sign on URL**: SP's URL that processes the SAML response, verifies and validates it.

Review your Okta application to check that the received value matches the value provided as Single sign-on URL

<figure><img src="/files/GmiQUEEGFkoPRJSEtLun" alt="" width="533"><figcaption></figcaption></figure>

If they don't match, update the okta app value to the value provided by Xygeni.

## Testing the Okta - Xygeni integration

Now, you are able to test the application integration.

### Login from Xygeni

To do it you can go to Xygeni login page ( <https://in.xygeni.io/auth/login> ) and after specifying your login name you will be presented to a page where you can enter your password or click on the Okta button.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.xygeni.io/xygeni-administration/platform-administration/integrations/xygeni-single-sign-on-sso-authentication/sso-okta.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.