> ## Documentation Index
> Fetch the complete documentation index at: https://docs.maia.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Okta and SAML

<Note>
  This document covers step two of the [Single sign-on (SSO) setup](/docs/administration/single-sign-on) process, and shouldn't be completed independently.
</Note>

1. Log in to [Okta](https://www.okta.com/), then click **Applications**.

   <img src="https://mintcdn.com/matillion/WwJsFdmYh_q5l5m6/images/hub/okta-and-saml/okta-and-saml-01.png?fit=max&auto=format&n=WwJsFdmYh_q5l5m6&q=85&s=a58c6e28a3690824c53a611b42cb1511" alt="Okta applications" width="1430" height="812" data-path="images/hub/okta-and-saml/okta-and-saml-01.png" />

2. Click the **Create App Integration** button at the top.

   <img src="https://mintcdn.com/matillion/WwJsFdmYh_q5l5m6/images/hub/okta-and-saml/okta-and-saml-02.png?fit=max&auto=format&n=WwJsFdmYh_q5l5m6&q=85&s=584b6dc7c1344bbc85819d15ba01fb68" alt="Create App Integration" width="1430" height="780" data-path="images/hub/okta-and-saml/okta-and-saml-02.png" />

3. Select the **SAML 2.0** radio button as the sign-on method.

   <img src="https://mintcdn.com/matillion/WwJsFdmYh_q5l5m6/images/hub/okta-and-saml/okta-and-saml-03.png?fit=max&auto=format&n=WwJsFdmYh_q5l5m6&q=85&s=46d223667639f3799239467faf6195e3" alt="Select SAML method" width="1388" height="642" data-path="images/hub/okta-and-saml/okta-and-saml-03.png" />

4. Enter a name for the application, such as `{maia} SSO`, select **Do not display application icon to users**, and click **Next**.

   <img src="https://mintcdn.com/matillion/WwJsFdmYh_q5l5m6/images/hub/okta-and-saml/okta-and-saml-04.png?fit=max&auto=format&n=WwJsFdmYh_q5l5m6&q=85&s=93cd3e63c6cb1ce286f0df14433292b8" alt="Application name" width="1430" height="736" data-path="images/hub/okta-and-saml/okta-and-saml-04.png" />

   <Note>
     There are optional steps at the end of this document if you want to add an icon for users. The icon for the application itself must always be hidden, as using it will attempt an IdP Initiated connection, which is not allowed for security reasons.
   </Note>

5. Enter the following:

   * **Single sign on URL:** `https://id.matillion.com/login/callback`.
   * **Audience URI (SP Entity ID):** `urn:auth0:matillion:[domain]-saml` replacing `[domain]` with your primary email domain, and converting any special characters to dashes. For instance `example.com` would become `urn:auth0:matillion:example-com-saml`.
   * Leave the other fields blank, and click **Next**.

   <img src="https://mintcdn.com/matillion/WwJsFdmYh_q5l5m6/images/hub/okta-and-saml/okta-and-saml-05.png?fit=max&auto=format&n=WwJsFdmYh_q5l5m6&q=85&s=250a0e88b0d1c0192ecbe156b6f79e03" alt="Configure SAML" width="1430" height="882" data-path="images/hub/okta-and-saml/okta-and-saml-05.png" />

   <Note>
     The **Relay State** will be provided by {maia} later, and will be added here before testing. No other configuration should be changed at that stage.
   </Note>

6. Ensure the **Application username** is mapped to a value that is unique to each user and immutable.

   <img src="https://mintcdn.com/matillion/WwJsFdmYh_q5l5m6/images/hub/okta-and-saml/okta-and-saml-06.png?fit=max&auto=format&n=WwJsFdmYh_q5l5m6&q=85&s=ce0e0d1a82d7342debea21c8cad7956e" alt="Application username" width="1430" height="882" data-path="images/hub/okta-and-saml/okta-and-saml-06.png" />

   <Warning>
     The default value, Okta username, is usually an email address and should not be used. The value chosen here is used internally by the identity provider as the NameID to uniquely identify users. It is never visible in either system, and users will always sign in using their email address regardless of this setting.

     Leaving the default value unchanged can cause problems if it is modified in the future. If that happens, {maia} will treat the user as a new account, which results in the loss of the original user profile.

     Any value that is unique to each user and guaranteed to remain unchanged can be used. Because every configuration is different, Matillion can't provide guidance on creating a unique attribute in Okta. However, you can verify the exact value being sent during the testing phase, before the configuration is activated and impacts user logins.
   </Warning>

7. Add the following five entries in the **Attribute Statements (optional)** section.

   <img src="https://mintcdn.com/matillion/WwJsFdmYh_q5l5m6/images/hub/okta-and-saml/okta-and-saml-07.png?fit=max&auto=format&n=WwJsFdmYh_q5l5m6&q=85&s=1cb0db8359c35adca9976269ffe1f444" alt="Attribute statements" width="1430" height="882" data-path="images/hub/okta-and-saml/okta-and-saml-07.png" />

   The **email\_verified** attribute ensures that users aren't prompted to verify their email address with {maia}.

8. Scroll down to the bottom, and click **Next**.

   <img src="https://mintcdn.com/matillion/WwJsFdmYh_q5l5m6/images/hub/okta-and-saml/okta-and-saml-08.png?fit=max&auto=format&n=WwJsFdmYh_q5l5m6&q=85&s=5a850496c34824d017a5b4f26d5a6b18" alt="Finish setup" width="1430" height="668" data-path="images/hub/okta-and-saml/okta-and-saml-08.png" />

9. If requested, complete the Okta feedback form, and click **Finish**.

10. Ensure the **Sign On** tab is open.

    <img src="https://mintcdn.com/matillion/WwJsFdmYh_q5l5m6/images/hub/okta-and-saml/okta-and-saml-09.png?fit=max&auto=format&n=WwJsFdmYh_q5l5m6&q=85&s=11260f8568a08e0226ef473c675db7cb" alt="Sign On tab selected" width="1430" height="762" data-path="images/hub/okta-and-saml/okta-and-saml-09.png" />

11. Click **More details**, click the **Copy** button under **Sign on URL**, and make a note of this for later.

    <img src="https://mintcdn.com/matillion/WwJsFdmYh_q5l5m6/images/hub/okta-and-saml/okta-and-saml-10.png?fit=max&auto=format&n=WwJsFdmYh_q5l5m6&q=85&s=462ad06ab58b4ef0e4b0fb3979d36f56" alt="Copy Sign on URL" width="1326" height="626" data-path="images/hub/okta-and-saml/okta-and-saml-10.png" />

12. Scroll down to the bottom of the page, click on the **Actions** menu next to the **Active** certificate, and click **Download certificate**.

    <img src="https://mintcdn.com/matillion/WwJsFdmYh_q5l5m6/images/hub/okta-and-saml/okta-and-saml-11.png?fit=max&auto=format&n=WwJsFdmYh_q5l5m6&q=85&s=3bfb6640fc27ba4e523f6039891ed633" alt="Download certificate" width="1430" height="764" data-path="images/hub/okta-and-saml/okta-and-saml-11.png" />

    <Note>
      This is not the same as the signing certificate available for download above.
    </Note>

13. Open the **Assignments** tab, click **Assign**, and follow the prompts to assign users or groups to the application as needed.

    <img src="https://mintcdn.com/matillion/WwJsFdmYh_q5l5m6/images/hub/okta-and-saml/okta-and-saml-12.png?fit=max&auto=format&n=WwJsFdmYh_q5l5m6&q=85&s=6ba451bfd63dcac9e15ed1346ada1f47" alt="Assignments tab" width="828" height="554" data-path="images/hub/okta-and-saml/okta-and-saml-12.png" />

14. Continue the steps in [Single sign-on (SSO) setup](/docs/administration/single-sign-on).

***

## Configure an Okta application icon (optional)

Follow these steps to add an application icon so users can access {maia} from their Okta dashboard. If you don't require an application icon, skip this section and continue with [Single sign-on (SSO) setup](/docs/administration/single-sign-on).

1. Click **Applications**.

   <img src="https://mintcdn.com/matillion/WwJsFdmYh_q5l5m6/images/hub/okta-and-saml/okta-and-saml-13.png?fit=max&auto=format&n=WwJsFdmYh_q5l5m6&q=85&s=bd6332fe1c3b504cc3976ceed158b1e3" alt="Applications menu" width="1430" height="882" data-path="images/hub/okta-and-saml/okta-and-saml-13.png" />

2. Click **Browse App Catalog**.

   <img src="https://mintcdn.com/matillion/WwJsFdmYh_q5l5m6/images/hub/okta-and-saml/okta-and-saml-14.png?fit=max&auto=format&n=WwJsFdmYh_q5l5m6&q=85&s=b8635d3eafd4cf8dd205858d41878575" alt="Browse App Catalog" width="1280" height="704" data-path="images/hub/okta-and-saml/okta-and-saml-14.png" />

3. Enter **bookmark** in the search field, and click **Bookmark App**.

   <img src="https://mintcdn.com/matillion/WwJsFdmYh_q5l5m6/images/hub/okta-and-saml/okta-and-saml-15.png?fit=max&auto=format&n=WwJsFdmYh_q5l5m6&q=85&s=402093a0e3f5a5c39334d1b6070defa8" alt="Bookmark App" width="1378" height="704" data-path="images/hub/okta-and-saml/okta-and-saml-15.png" />

4. Click **Add Integration**.

   <img src="https://mintcdn.com/matillion/WwJsFdmYh_q5l5m6/images/hub/okta-and-saml/okta-and-saml-16.png?fit=max&auto=format&n=WwJsFdmYh_q5l5m6&q=85&s=d0f730f3db477e25b860a91a24caff82" alt="Add Integration" width="1300" height="630" data-path="images/hub/okta-and-saml/okta-and-saml-16.png" />

5. Enter an **Application label** and the URL `https://app.matillion.com`.

   <img src="https://mintcdn.com/matillion/WwJsFdmYh_q5l5m6/images/hub/okta-and-saml/okta-and-saml-17.png?fit=max&auto=format&n=WwJsFdmYh_q5l5m6&q=85&s=8a611cce95328850e48414a546636160" alt="Application label and URL" width="1430" height="852" data-path="images/hub/okta-and-saml/okta-and-saml-17.png" />

6. Select the bookmark from the list of applications, which will be shown with a star icon.

   <img src="https://mintcdn.com/matillion/WwJsFdmYh_q5l5m6/images/hub/okta-and-saml/okta-and-saml-18.png?fit=max&auto=format&n=WwJsFdmYh_q5l5m6&q=85&s=bfb6b90bb85756924fb5f153c4bcbae3" alt="Select bookmark" width="976" height="454" data-path="images/hub/okta-and-saml/okta-and-saml-18.png" />

7. Click on the icon.

   <img src="https://mintcdn.com/matillion/WwJsFdmYh_q5l5m6/images/hub/okta-and-saml/okta-and-saml-19.png?fit=max&auto=format&n=WwJsFdmYh_q5l5m6&q=85&s=70b82cf4b6900106453f8b8cede5b7aa" alt="Click icon" width="872" height="792" data-path="images/hub/okta-and-saml/okta-and-saml-19.png" />

8. Upload an icon for the application, such as [matillion.png](https://matillion-docs.s3.eu-west-1.amazonaws.com/Attachments/sso-docs/matillion.png).

   <img src="https://mintcdn.com/matillion/WwJsFdmYh_q5l5m6/images/hub/okta-and-saml/okta-and-saml-20.png?fit=max&auto=format&n=WwJsFdmYh_q5l5m6&q=85&s=39d13f76fe9885f2bde0b186ea80e5e0" alt="Upload icon" width="1304" height="860" data-path="images/hub/okta-and-saml/okta-and-saml-20.png" />

9. Continue the steps in [Single sign-on (SSO) setup](/docs/administration/single-sign-on).
