# SAML for Okta

This guide shows you how to use StrongDM's [Generic SAML](/admin/principals/sso/saml.md) identity provider integration with Okta as the identity provider (IdP).

### Prerequisites

* Administrative access to a working Okta account
* Administrative access to your StrongDM organization

### StrongDM Setup

1. In the StrongDM Admin UI, go to [**Settings** > **User Management**](https://app.strongdm.com/app/settings/user-management).
2. ![](/files/nWFh5QJbUdSW7UHF8AeT)\
   Under **Single Sign-on**, unlock the settings menu (**Click to make changes**), and then select **Yes**. For the **Provider**, select the **SAML** option.
3. Copy the values provided for Entity ID and ACS (Consumer) URL (or leave this page open).

### Okta Setup

1. Log in to your Okta admin console, and under **Applications**, create a new app integration.
2. For the **Sign-in method**, choose "SAML 2.0."
3. In the **General Settings** of the **Create SAML Integration** wizard, set the **App Name** to "StrongDM."
4. ![](/files/0wPlbOJuapY09lWOSdAe)\
   (Optional) Set an **App Logo** image if desired.
5. (Optional) To allow [IdP-initiated logins](https://help.okta.com/oag/en-us/content/topics/access-gateway/ref-arch/flow-idi.htm), leave **App visibility** unchecked.
6. Select **Next** to move to the **Configure SAML** tab. Copy the value from StrongDM for **ACS (Consumer) URL** and paste it into the **Single sign-on URL** field in Okta.
7. Copy the value from StrongDM for **Entity ID** and paste it into the **Audience URI (SP Entity ID)** field in Okta.
8. Change the **Application username** to "Email."
9. Leave the other fields as they are, scroll down, and select **Next**.
10. In the **Feedback** tab, select "I'm an Okta customer adding an internal app" and click **Finish**.
11. Copy the **Metadata URL** from the settings on the **Sign On** tab.

### Complete StrongDM Setup

1. Copy the Metadata URL from Okta and paste it into the **Metadata URL** field in the Admin UI.
2. (Optional) Click **Yes** for **Allow IDP Initiated Authentication**. Be sure that if you are enabling IdP-initiated authentication and that you have left the **App visibility** option unchecked in the Okta admin console.
3. (Optional) Click **Yes** for **Allow password login for admins** to prevent accidentally locking out your admins. We recommend that you enable this option at least until your SSO is configured and tested.
4. Click **Save**.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.strongdm.com/admin/principals/sso/okta-saml.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.