Okta SAML Authentication

To use Okta as an IdP to authenticate the Akeyless Platform, you need to follow the below steps.

Create an Okta application

The following configuration will enable users to authenticate using Okta SAML-based Single Sign-On.

  1. Go to 'Applications' -> 'Applications' in the left sidebar. Create a new app integration type SAML 2.0 in your Okta account.

Specify app name:

  1. On the SAML Settings page:

  • In the Attribute Statements section, add the following attributes:
    • Name: email,
    • Value: user.email
    • Name: user,
    • Value: user.login
  • In the Group Attributes Statements section, add the following attributes:
    • Name: groups
    • Filter: Matches regex
    • Value: .*

  1. On the Feedback page, select “I'm an Okta customer adding an internal app”,
    and click “Finish”.

  1. You can either obtain your IDP Metadata URL by clicking on the Actions menu of the Active "SAML Signing Certificate" and copy the URL from the View IDP Metadata button.
    Alternatively, you can obtain the IdP Metadata XML, by clicking on "View SAML setup instructions", and in the new tab that opens, scroll all the way down and copy the full IDP metadataXML under the Optional section.

  1. Now, when an Okta Application is ready, assign users to the Okta app, just like with any other Okta app.

  2. To bind the Okta application with your Akeyless account, you need to create a SAML Authentication Method using either CLI or UI, as described below.

Create SAML Authentication Method

To create a SAML Auth method using the Akeyless CLI run the following command:

akeyless create-auth-method-saml \
--name 'my Okta app' \
--idp-metadata-url '<your-idp-metadata-url>' \
--unique-identifier email

Alternatively, you can create this Auth method from the Akeyless console:

Click on Auth Methods -> New -> SAML:

Please use the link from the above step 4 in the IDP Metadata URL.

Authenticate using SAML

To log in using SAML from Akeyless CLI:

  1. You should configure a new profile with your Access-ID from the previous step and SAML type (if no profile name is provided, the default will be configured):
akeyless configure --access-id p-ki544e6n19gh --access-type saml --profile 'okta-app'
  1. Now, you can run any Akeyless CLI command and be authenticated with Okta application:
akeyless list-items --profile okta-app

In the Akeyless Console login page click on the SAML option and enter your SAML Access ID:

You will be redirected to the Okta sign-in where you need to provide your Okta credentials: