Okta SAML Integration Guide
Suggest an editPrerequisites
- Administrator access to the Okta Admin Console
- A SplitSecure Identity Provider created and approved
- A separate browser or browser profile with SplitSecure configured (for testing)
Okta Configuration
1 Create a New Identity Provider
- Sign in to Okta Admin Console
- Go to Security → Identity Providers
- Click Add Identity Provider
- Select SAML 2.0 IdP and click next
- Enter a descriptive name for this IdP (e.g., “Corporate SAML IdP”)
2 Configure General Settings
Authentication Settings
| Field | Value |
|---|---|
| IdP Usage | SSO only |
| Claims | No |
| Account matching with Persistent Name ID | Yes |
Account matching with IdP Username
| Field | Value |
|---|---|
| IdP username | idpuser.subjectNameId |
| Filter | No |
| idpuser.subjectNameId | Okta Username or Email |
| Account link policy | Yes |
| Auto-link filters | None |
| If no match is found | Create new user (JIT) |
SAML Protocol Settings
| Field | Value | Notes |
|---|---|---|
| IdP Issuer URI | com.splitsecure.saml2.provider.your-idp-name | Found in SplitSecure: Secure Accounts → SAML2 Identity Providers → [Your IdP] → Details as “SAML IdP Entity ID” |
| IdP Single Sign-On URL | https://splitsecure.com/saml2/sp/login | |
| IdP Signature Certificate | (Upload certificate file) | Download from SplitSecure: Secure Accounts → SAML2 Identity Providers → [Your IdP] → Details → Download Certificate |
| Request Binding | HTTP POST | |
| Application context | No | |
| Request Signature | Yes | |
| Response Signature Verification | Assertion | |
| Response Signature Algorithm | SHA-256 | |
| Okta Assertion Consumer Service URL | Trust-specific | |
| Max Clock Skew | 2 Minutes |
- Click Finish
SplitSecure Configuration
1 Download Okta SAML Metadata
- In the Okta Admin Console, navigate to Security → Identity Providers
- Locate your IdP and click Actions → Configure Identity Provider
- In the Summary card, click Download metadata and save the XML file
2 Create the Okta Secure Account
- In SplitSecure, navigate to Secure Accounts → Create Account → Okta
- Enter a name for your account
- Select the Identity Provider that matches the IdP Issuer URI configured in Okta
- Upload the metadata file downloaded in Step 1
- Click Create Account
Test Authentication
Tip
Use a separate browser or browser profile with SplitSecure configured to test without affecting your current session.
1 Test Authentication (IdP-Initiated)
- In SplitSecure, navigate to Secure Accounts
- Locate your new account and click Authenticate
- Enter your email address and click Request Access
- Complete the Okta authentication flow when prompted
Troubleshooting
| Issue | Possible Cause | Solution |
|---|---|---|
| Authentication fails immediately | Mismatched IdP Issuer URI | Verify the Entity ID matches exactly between Okta and SplitSecure |
| Certificate errors | Expired or incorrect certificate | Re-download the certificate from SplitSecure and re-upload to Okta |
| User not found | Account matching misconfigured | Ensure the IdP username field and match criteria are correctly set |
| Clock skew errors | Time synchronization issues | Increase the Max Clock Skew value or sync server clocks |
External Resources
- Add a SAML Identity Provider — SAML IdP configuration steps