All Products
Search

This Product

    Identity as a Service:Bind Okta as a SAML identity provider

    Document Center

    Identity as a Service:Bind Okta as a SAML identity provider

    Last Updated:May 25, 2026

    This topic describes how to configure Okta as a SAML 2.0 identity provider (IdP) so that Okta users can access the IDaaS EIAM user portal through single sign-on (SSO).

    Note

    You must have Okta administrator permissions to create and configure SAML applications, and an activated Alibaba Cloud IDaaS EIAM instance with access to the IDaaS management console.

    Step 1: Create a SAML application in Okta

    1. In the Okta Admin Console, choose Applications > Create App Integration.

      Create app integration in Okta

    2. On the Create App Integration page, select SAML 2.0 as the sign-in method and click Next.

    3. Enter an App name and click Next.

    4. On the SAML Settings page, fill in the required information. The Single sign-on URL and Audience URI (SP Entity ID) fields are required but you cannot obtain the actual values until you create the SAML identity provider in IDaaS. Enter placeholder values for now; you will update them in a later step.

    5. After you complete the SAML Settings page, click Finish.

    6. After the application is created, go to the Sign On tab, locate the Metadata URL field, and copy the URL. You will need it when creating the SAML identity provider in IDaaS.

      Metadata URL in Okta Sign On tab

    Step 2: Create a SAML identity provider in IDaaS

    1. In the IDaaS EIAM console, click Identity Providers > Inbound > Add Inbound, select SAML Identity Provider, and then click Add.

      image

    2. In the dialog box that appears, configure the following settings in the Bind SAML Identity Provider section:

      • Display Name: a name for the SAML identity provider. This name appears on the sign-in page.

      • Logon Settings: enter the Metadata URL from your IdP, and then click Parse. The system automatically parses the XML and retrieves the IdP SSO URL, IdP Entity ID, and Signature Verification Certificate.

    3. Click Next to proceed to the scenario selection page.

    4. Select the account binding scenarios that match your requirements, and then click Create.

      Scenario

      Description

      Manual Account Binding

      Prompts users to manually link their SAML account to an IDaaS account if no binding exists.

      Automatic Account Binding

      Automatically binds the account if the IDaaS field value matches the NameID in the SAML Response and no binding exists.

      Auto create user

      Creates a new IDaaS account for unregistered SAML users. Account information updates on each sign-in.

      Automatically Update Information

      Updates account information from SAML assertion attributes on each sign-in, based on field mapping rules.

      If you enable Automatically Update Information, the Field Mapping configuration page appears. For configuration details, see SAML IdP Field Mapping Configuration Guide.

    Step 3: Configure SSO information in Okta

    1. Log on to the IDaaS EIAM console. Choose Identity Providers > IdPs > Inbound, and click the Configuration Information button for the SAML IdPs that you created in Step 2 to obtain the following values:

      • SP ACS URL: corresponds to the Single sign-on URL field in the Okta SAML application.

      • SP Entity ID: corresponds to the Audience URI (SP Entity ID) field in the Okta SAML application.

    2. In the Okta Admin Console, go to the General tab of the application, locate the SAML Settings section, and click Edit. Replace Single sign-on URL with the SP ACS URL value and replace Audience URI (SP Entity ID) with the SP Entity ID value.

    3. Go to the Assignments tab of the Okta application, click Assign, and select People or Groups to grant access to the application for specific users or user groups.

    4. Configure Okta request signing (optional):

      Important

      Follow these steps only if your Okta organization requires SAML request signing. If request signing is not required, skip this section. Incorrect configuration may cause authentication failures.

      1. Go to the General tab of the Okta application, locate the SAML Settings section, and click Edit > Next to open the Configure SAML page. Click Show Advanced Settings and generate a PEM-format certificate under Signature Certificate.

      2. Go to the Sign On tab of the Okta application, click Edit, locate the Show Advanced Settings section, and modify the following settings:

        1. Enable the Signed Requests option.

        2. Select Unspecified for Name ID format. IDaaS does not support dynamic NameIDPolicy Format configuration. Selecting any other format causes Okta to return an AuthnRequest validation error.

    Step 4: Verify the sign-in flow

    After you complete the preceding configuration, verify that the IDaaS user sign-in flow works as expected.

    1. Access the IDaaS EIAM user portal. The SAML IdPs sign-in option appears under the alternative sign-in methods.

    2. Click the sign-in option. The browser redirects to Okta for authentication.

      • If you are not signed in to Okta, the Okta sign-in page appears. After you sign in, the browser redirects back to IDaaS.

      • If you are already signed in to Okta, the browser redirects directly back to IDaaS.

    3. After authentication succeeds, the system matches accounts based on the account binding scenario configured in Step 2. If the system cannot automatically match an IDaaS user, you can manually bind an account or enable automatic account creation to complete the sign-in.