# Okta Configuration
## Steps to follow
* [Create a new Application](#create-a-new-application)
* [Set up Single Sign-On](#set-up-single-sign-on)
* [Configure Attributes](#configure-attributes)
* [Enter OKTA's metadata into Sleuth](#enter-oktas-metadata-into-sleuth)
* Option 1: Link to metadata file
* Option 2: Enter metadata manually
* [Assign People/Groups to the Application](#assign-people-groups-to-the-application)
## Create a new Application
Sign in to the **OKTA Dashboard** as an administrator. Open the menu in the top-left corner, expand the " **Applications**" section and click "**Applications**:
On the "**Applications** "page click "**Create App Integration**". In the pop-up "**Create a new app integration**" select "**SAML 2.0**" as the Sign-in method and click "**Next**":
On the "**General Settings**" tab enter a name for your application (*e.g., Sleuth*) and click "**Next**":
## Set up Single Sign-On
On the "**Configure SAML**" page, **fill in the necessary metadata** (*found in Sleuth*), using the following reference:
| OKTA | SLEUTH | EXAMPLE |
| ------------------------------- | -------------------------- | ------------------------------------------------------------------------------------ |
| **Single sign on URL** | Assertion Consumer Service | `https://app.sleuth.io/complete/saml/` |
| **Audience URI (SP Entity ID)** | SAML Entity ID | `https://app.sleuth.io/saml/metadata/` |
| **Default RelayState** | Default Relay State |
sleuth
(should be your org slug)
|
Set the "**Name ID format**" to "**Email Address**" and click the "**Show Advanced Settings**" link to expand the settings:
Save the "**Sleuth x509 Certificate**" ([found in Sleuth](https://github.com/sleuth-io/sleuth-gitbook-docs/blob/master/settings/organization/signup/saml/broken-reference/README.md)) in a .**pem** file, then click "**Browse files...**" next to "**Signature Certificate**" and **upload the saved file**. Activate the "**Enable Single Logout**" option and enter the necessary information:
| OKTA | SLEUTH | EXAMPLE |
| --------------------- | --------------------- | --------------------------------- |
| **Single Logout URL** | Single Logout Service | `https://app.sleuth.io/saml/sls/` |
### Configure Attributes
In the "**Attribute Statements**" section add the following Attributes (*using the "**Add Another**" button*):
| NAME | NAME FORMAT | VALUE |
| --------------- | ----------- | -------------- |
| **email** | Unspecified | user.email |
| **first\_name** | Unspecified | user.firstName |
| **last\_name** | Unspecified | user.lastName |
Leave the "**Group Attribute Statements**" as they are.
Click "**Preview the SAML Assertion**" if you want to inspect the Assertion before proceeding. Then click "**Next**" at the bottom-right of the page.
On the "**Feedback**" page select "**I'm an Okta customer adding an internal app**" and click "**Finish**" at the bottom-right of the page (*you can leave the rest of the fields blank*).
## Enter OKTA's metadata into Sleuth
You can now choose between **pointing Sleuth to a URL** where the IdP's metadata is now available, or **entering the metadata into Sleuth manually**.
{% tabs %}
{% tab title="Option 1: Link to metadata file" %}
In OKTA in the "**SAML Signing Certificates**" section under your Application, find the certificate with status "**Active**", click on the "**Actions**" link at the right end of its row and click "**View IdP metadata**":
The **XML file** will open in a new tab in your browser -> **select and copy its entire URL**.
In Sleuth, click the "**point Sleuth to metadata file URL**" link to trigger the input modal and **paste the copied URL** into the field, then click "**Save**":
The remaining fields in Sleuth will get **populated automatically**, just click "**Test Metadata and Save**":
{% hint style="info" %}
Sleuth defaults all of the Advanced configuration to the most commonly used values, but depending on your IdP configuration you might need to adjust "**Advanced settings**".
{% endhint %}
### Assign People/Groups to the Application
On the Application's homepage click the "**Assignments**" tab, then click "**Assign**" and select either "**Assign to People**" (*to assign individual users*) or "**Assign to Groups**" (*to assign to groups of users*):
{% endtab %}
{% tab title="Option 2: Input metadata manually" %}
In OKTA in the "**SAML Signing Certificates**" section under your Application, click the "**View SAML setup instructions**" button:
**Fill in the necessary metadata**, using the following reference, and click "**Test Metadata and Save**":
| SLEUTH | OKTA | EXAMPLE |
| --------------- | ------------------------------------ | --------------------------------------------------------------------------------------------------------------- |
| **Entity ID** | Identity Provider Issuer | `http://www.okta.com/<...>` |
| **SSO URL** | Identity Provider Single Sign-On URL | `https://<...>.okta.com/app/<...>/sso/saml` |
| **SLO URL** | Identity Provider Single Logout URL | `https://<...>.okta.com/app/<...>/slo/saml` |
| **Certificate** | X.509 Certificate |
|
{% hint style="info" %}
Sleuth defaults all of the Advanced configuration to the most commonly used values, but depending on your IdP configuration you might need to adjust "**Advanced settings**".
{% endhint %}
{% endtab %}
{% endtabs %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://help.sleuth.io/sleuth-dora/settings/organization/signup/saml/okta-configuration.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.