Skip to main content

Single Sign-On to Salto with Okta

Customers who use Okta as their IdP can securely connect to Salto through SAML

Support avatar
Written by Support
Updated this week

Single Sign-On via Okta OIN

Prerequisites

  1. Salto SAML integration is available for enterprise customers (see info about plans here: https://www.salto.io/pricing)

  2. Contact support@salto.io in order to initialize the process.


Supported features

  • IdP-initiated SSO

  • SP-initiated SSO

  • JIT provisioning


Configuration steps

  1. In your Okta Admin Console, browse the app catalog, search for Salto application and add it.

  2. For connection_name you should either use the one you got from Salto, or you can use your domain name with hyphens instead of dots, e.g.:
    acme.com → acme-com
    acme.co.uk → acme-co-uk

  3. After creating the application, select the Sign On tab and copy the metadata URL.

  4. Download Salto’s public PEM encryption certificate and add it to your newly created app;

    1. In the Sign On tab, click Edit

    2. Under Encryption Key, browse and upload the downloaded PEM file

    3. Click on Upload

  5. Update the Connection Name in the Sign On tab

  6. Contact support@salto.io and request SAML 2.0 enablement for your account. Provide:

    1. Metadata URL

    2. The connection_name you used (either provided by Salto, or chosen as noted above)

  7. Once confirmed by Salto, your SAML configuration is complete. You can now assign users and groups to the application.

    5.

  8. For IDP-initiated SSO, after clicking Salto app in Okta, you will be redirected to https://app.salto.io/

  9. For SP-initiated SSO, navigate to https://app.salto.io/login, and enter the your email address:


Universal Logout (Recommended)

Okta’s Universal Logout feature lets you terminate user sessions and tokens for supported apps when Identity Threat Protection detects risk.

Okta Configuration Steps

  1. Log in to your organization's Okta Admin Console.

  2. Select the Applications option from the Applications drop-down list in the left navigation drawer. The Applications page is displayed.

  3. Select the Salto app. The Salto Overview page is displayed.

  4. Activate the Authentication tab.

  5. Click the Edit option in the Logout section.

  6. Select the Okta system or admin initiates logout checkbox.

  7. Click the Save button.

Once done, proceed to the next step;

Send configuration details to Salto

Once the above is done, please get the following:

  1. Copy the same metadata URL from step 3 in the Single Sign-On via Okta OIN section

  2. Copy the Salto app ID from Okta Admin Console:

    1. Go to the Salto app in the Okta Admin Console (Applications ⇒ Applications ⇒ Salto)

    2. In the app URL, locate the APPLICATION_ID:
      https://{your-company}-admin.okta.com/admin/app/<APPLICATION_NAME>/instance/<APPLICATION_ID>/

Send both items to support@salto.io and request Universal Logout enablement


Troubleshooting

If you encounter any issue during the process, or a generic access denied message after authenticating through Okta, consult with Salto support team (support@salto.io).

Please note, the Org Admin user in Salto must invite other users to the org, otherwise when new users log in via SSO they will not be able to access the Salto application.

See this article about inviting members for more information:

Did this answer your question?