> For the complete documentation index, see [llms.txt](https://support.goodaccess.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://support.goodaccess.com/configuration-guides/features/sso-scim/okta.md).

# Okta

{% hint style="info" %}
This feature is available in the **Premium plan and higher**.
{% endhint %}

{% hint style="danger" %}
**Remember to** [**grant your Okta users access permissions**](#step-4-managing-user-access) **to GoodAccess. Users without them won't be able to log in.**
{% endhint %}

## Step 1 - Adding a new identity provider

[Log in to the GoodAccess **Control Panel**, and go to **Settings** > **SSO & Identity**.](https://app.goodaccess.com/sso-and-identity/)

Click **+ Add provider**, enter the **Provider name**, choose your **Identity Provider**, and click **Continue**.

## Step 2 - Setting up Single Sign-On with SAML

Log in to the Okta Admin console, and go to **Applications** > **Applications**.

Click **Create App Integration**, select **SAML 2.0**, and click **Next**.

<div><figure><img src="/files/5Ctgwp336lYRH7bQCdmA" alt="Okta Admin console with key steps to creating a new application integration."><figcaption><p>Creating a new application integration</p></figcaption></figure> <figure><img src="/files/T6mkUm516OtvX29O4r5N" alt="Okta Admin console with key steps to selecting SAML 2.0 as a sign-in method for the application integration."><figcaption><p>Selecting SAML 2.0 as a sign-in method</p></figcaption></figure></div>

### 1. General Settings

Give the application a name, and click **Next**.

<figure><img src="/files/XAv4GTwLEU7b3VA5ZYzn" alt="Okta Admin console with key steps to setting up the &#x22;General Settings&#x22;."><figcaption><p>Setting up the General Settings</p></figcaption></figure>

### 2. Configure SAML

Copy the details from GoodAccess - **(2) GoodAccess links**.

#### General

* **Single Sign-On URL** - Assertion Consumer Service URL
* **Audience URI (SP Entity ID)** -  Entity ID
* **Default RelayState** - Relay State
* **Name ID format** - Unspecified
* **Application username** - Email

#### **Attribute Statements**

| Name                     | Name format | Value      |
| ------------------------ | ----------- | ---------- |
| "email" (without quotes) | Unspecified | user.email |

Return to GoodAccess, and click **Continue**.

Return to Okta, and click **Next**.

<figure><img src="/files/jWoiAyuhxjtyi0ns9bO0" alt="Okta Admin console with key steps to configuring SAML."><figcaption><p>Configuring SAML</p></figcaption></figure>

### 3. Feedback

Choose one of the **Feedback** options, and click **Finish**.

### 4. Setting up GoodAccess

In the application go to **Sign** **On** > **SAML 2.0**, and click **More details**.

Copy the details to GoodAccess - **(3) Identity Provider links**, and click **Continue**.

* **Sign in URL** - Sign on URL
* **Entity ID** - Issuer
* **X509** **signing certificate** - Signing Certificate

<figure><img src="/files/9QKZl7sNhRT0F4bdmMb0" alt="Okta Admin console with key steps to setting up GoodAccess."><figcaption><p>Setting up GoodAccess</p></figcaption></figure>

{% hint style="info" %}
If you don't want to setup SCIM, skip the next step in GoodAccess, and click **Submit** to finish the configuration.
{% endhint %}

You have now successfully set up your Okta SSO with GoodAccess.

## Step 3 (optional) - Setting up SCIM

In the application, go to **General** > **App Settings**, and click **Edit**.

Select **SCIM**, and click **Save**.

<figure><img src="/files/daWdSPT21iFrOktA1wVm" alt="Okta Admin console with key steps to enabling SCIM."><figcaption><p>Enabling SCIM</p></figcaption></figure>

### 1. SCIM Connection

Go to **Provisioning** > **Integration**, and click **Edit**.

Copy the **URL** and **Token** from GoodAccess - **(4) User provisioning (SCIM)**.

* **SCIM connector base URL** - URL
* **Unique identifier field for users** - "email" (without quotes)
* **Supported provisioning actions**
  * Push New Users
  * Push Profile Updates
  * Push Groups
* **Authentication Mode** - HTTP Header
* **Authorization** - Token

Return to GoodAccess, and click **Submit**.

Return to Okta, and click **Save**.

<figure><img src="/files/vgWyfWNsprLyhieMeBzt" alt="Okta Admin console with key steps to setting up SCIM connection."><figcaption><p>Setting up SCIM connection</p></figcaption></figure>

### 2. Provisioning to App

Go to **Provisioning** > **To App**, and click **Edit**.

**Enable**:

* Create Users
* Update User Attributes
* Deactivate Users

Click **Save** to finish the configuration.

<figure><img src="/files/ebhRctVqCPdZxlpp4h5a" alt="Okta Admin console with key steps to setting up provisioning to app."><figcaption><p>Setting up provisioning to app</p></figcaption></figure>

### 3. (optional) Adding groups to provisioning

Go to **Push Groups**, and click **+ Push Groups** > **Find groups by name/rule**.&#x20;

Find the desired group, and click **Save**.

<figure><img src="/files/gAm4IFsxyBZ2Oxadv6Nk" alt="Okta Admin console with key steps to adding groups to provisioning."><figcaption><p>Adding groups to provisioning</p></figcaption></figure>

{% hint style="info" %}
The whole provisioning process will take around **20 minutes** to complete depending on the number of members and groups being added.
{% endhint %}

You have now successfully set up your Okta SCIM with GoodAccess.

## Step 4 - Managing user access

In the application, go to **Assigments**, and click **Assign** > **Assign to People/Groups**.

Choose who should have access, and click **Done**.

<div><figure><img src="/files/fSkmW4URmLSt1rFWu25V" alt="Okta Admin console with key steps to managing user access."><figcaption><p>Managing user access</p></figcaption></figure> <figure><img src="/files/jWK7ETCgXFbHap40uBay" alt="Okta Admin console with key steps to managing user access."><figcaption><p>Managing user access</p></figcaption></figure></div>
