Single Sign-On via Okta OIN
Prerequisites
Salto SAML integration is available for enterprise customers (see info about plans here: https://www.salto.io/pricing)
Contact support@salto.io in order to initialize the process.
Supported features
IdP-initiated SSO
SP-initiated SSO
JIT provisioning
Configuration steps
In your Okta Admin Console, browse the app catalog, search for Salto application and add it.
For
connection_name
you should either use the one you got from Salto, or you can use your domain name with hyphens instead of dots, e.g.:
acme.com → acme-com
acme.co.uk → acme-co-ukAfter creating the application, select the Sign On tab and copy the metadata URL.
Download Salto’s public PEM encryption certificate and add it to your newly created app;
Update the Connection Name in the Sign On tab
Contact support@salto.io and request SAML 2.0 enablement for your account. Provide:
Metadata URL
The
connection_name
you used (either provided by Salto, or chosen as noted above)
Once confirmed by Salto, your SAML configuration is complete. You can now assign users and groups to the application.
5.
For IDP-initiated SSO, after clicking Salto app in Okta, you will be redirected to https://app.salto.io/
For SP-initiated SSO, navigate to https://app.salto.io/login, and enter the your email address:
Universal Logout (Recommended)
Okta’s Universal Logout feature lets you terminate user sessions and tokens for supported apps when Identity Threat Protection detects risk.
Okta Configuration Steps
Log in to your organization's Okta Admin Console.
Select the Applications option from the Applications drop-down list in the left navigation drawer. The Applications page is displayed.
Select the Salto app. The Salto Overview page is displayed.
Activate the Authentication tab.
Click the Edit option in the Logout section.
Select the Okta system or admin initiates logout checkbox.
Click the Save button.
Once done, proceed to the next step;
Send configuration details to Salto
Once the above is done, please get the following:
Copy the same metadata URL from step 3 in the Single Sign-On via Okta OIN section
Copy the Salto app ID from Okta Admin Console:
Go to the Salto app in the Okta Admin Console (Applications ⇒ Applications ⇒ Salto)
In the app URL, locate the
APPLICATION_ID
:
https://{your-company}-admin.okta.com/admin/app/<APPLICATION_NAME>/instance/<APPLICATION_ID>/
Send both items to support@salto.io and request Universal Logout enablement
Troubleshooting
If you encounter any issue during the process, or a generic access denied message after authenticating through Okta, consult with Salto support team (support@salto.io).
Please note, the Org Admin user in Salto must invite other users to the org, otherwise when new users log in via SSO they will not be able to access the Salto application.
See this article about inviting members for more information: