# Okta and SAML This document offers some guidance for those unfamiliar with Okta in configuring Okta as the identity provider with the Helix SAML solution. An experienced administrator is free to change these to whatever suits their environment (e.g. using "username" instead of email address). ## Configuring Okta ### Creating the Application 1. Log into your Okta organization in your browser 1. Visit the Admin page 1. Ensure you are using the "Classic UI" as the new UI hides some features. * Look for the "Developer Console" link/button at the top, click it, change to "Classic" 1. Find the link for "Add Applications" 1. Click the "Create New App" button 1. Choose Web platform 1. Select SAML 2.0 sign on method 1. Provide the following SAML settings: | Field | Value | | -------------------- | ------------------------------ | | Single sign on URL | http://localhost:7070/saml/sso | | Audience URI | urn:example:sp | | Name ID format | EmailAddress | | Application username | Email | You will need to add a least one "optional" attribute to the SAML configuration, otherwise the OneLogin `python3-saml` code will reject the response for lacking an `AttributeStatement`. For example, add an attribute called `fullname` and select the `fullName` as the value; the format can be left unspecified. Under the **Assignments** tab, add users to the application, otherwise Okta will reject the user when they attempt to sign in to the application. ### Gather IdP settings On the application page, under **Sign On**, click the button to verify your SAML settings. On this page, there is a link to the Identity Provider metadata; copy that link for use by the trigger as the `idpUrl` value in the `auth.sso.args` setting. ### Name ID and Perforce User Ensure the Helix Server instance has a Perforce user with an email address that matches the account on Okta, otherwise the SSO trigger will not recognize the user as valid. If you are using the username instead, then the Okta username must match the Perforce user name.