> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.com/llms.txt
> Use this file to discover all available pages before exploring further.

> Learn how to configure Okta as an SAML identity provider (IdP) in Auth0.

# Configure Okta as SAML Identity Provider

<Card title="Before you start">
  * Sign up for an [Okta Integrator Free Plan org](https://developer.okta.com/signup/) account.
</Card>

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  If you want to integrate your Auth0 tenant with Okta Workforce Identity, try using the [Okta Workforce Enterprise connection](/docs/authenticate/identity-providers/enterprise-identity-providers/okta) first.
</Callout>

You can configure Okta as a <Tooltip tip="Security Assertion Markup Language (SAML): Standardized protocol allowing two parties to exchange authentication information without a password." cta="View Glossary" href="/docs/glossary?term=SAML">SAML</Tooltip> <Tooltip tip="Security Assertion Markup Language (SAML): Standardized protocol allowing two parties to exchange authentication information without a password." cta="View Glossary" href="/docs/glossary?term=identity+provider">identity provider</Tooltip> (IdP) in Auth0 by configuring a SAML Enterprise connection.

## Configure Okta SAML app integration

You can create a SAML app integration in the Okta Developer Console.

### Create app integration

1. Sign in to your [Okta Admin Console](https://login.okta.com).
2. Go to **Create App Integration** and choose **SAML 2.0** from the options.
3. Configure the following settings:

| Setting                     | Description                      | Example                                                                         |
| --------------------------- | -------------------------------- | ------------------------------------------------------------------------------- |
| Single Sign-On URL          | Auth0 tenant login callback URL. | `https://{yourAuth0Domain}/login/callback?connection={yourAuth0ConnectionName}` |
| Audience URI (SP Entity ID) | Auth0 connection audience value. | `urn:auth0:{yourAuth0TenantName}:{yourAuth0ConnectionName}`                     |

<Warning>
  The connection name value (`{yourAuth0ConnectionName}`) that you use to configure your Okta SAML app integration must match the name of the SAML connection you create in Auth0.
</Warning>

4. Select **Next**, and then select **Finish** to complete the Okta app integration configuration.

### Record SSO URL and download certificate

The login flow is now directed to the **Sign On** page for the newly-created app.

1. Select **View SAML Setup Instructions**.
2. Record the **Identity Provider Single Sign-On URL**.
3. Download the **X.509 Certificate** in PEM or CER format.
4. Navigate to **Assignments**, and then assign a user to the Okta application.

## Configure SAML connection in Auth0

You can create a SAML Enterprise connection in the <Tooltip tip="Auth0 Dashboard: Auth0's main product to configure your services." cta="View Glossary" href="/docs/glossary?term=Auth0+Dashboard">Auth0 Dashboard</Tooltip>.

1. Log in to the [Auth0 Dashboard](https://manage.auth0.com/#).
2. Go to [Authentication > Enterprise](https://manage.auth0.com/#/connections/enterprise/samlp).
3. Select **Create** (**+** button) next to **SAML**.
4. Configure the following settings:

| Setting                  | Description                                                                                                                                 | Example                                                                                                                             |
| ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| Connection name          | Auth0 connection name.                                                                                                                      | `myoktaconnection`                                                                                                                  |
| Sign In URL              | Okta URL where user login requests are sent.<br /><br />This is the **Identity Provider Single Sign-On URL** value you recorded previously. | `https://my_okta_tenant_name.okta.com/app/` `my_okta_tenant_namemy_okta_saml_app_integration_name/` `dakflkbzevu5i5zBi939/sso/saml` |
| X509 Signing Certificate | Okta tenant public key signing certificate.<br /><br />Upload the **X509 Certificate** you downloaded previously.                           | `myOktaTenantSigningCertificate.pem`                                                                                                |

5. Select **Create**.

## Enable SAML Enterprise connection in Auth0

You can enable your SAML Enterprise connection in the Auth0 Dashboard.

### Enable SAML Enterprise connection when using Organizations

If you’re using Organizations:

1. Log in to the [Auth0 Dashboard](https://manage.auth0.com/#).
2. Go to [Organizations](https://manage.auth0.com/#/organizations), and select your Organization.
3. Switch to the **Connections** view.
4. Select **Enable Connections**.
5. Select the SAML connection you created previously, and then select **Enable Connection**.

### Enable SAML Enterprise connection when not using Organizations

If you’re not using Organizations:

1. Log in to the [Auth0 Dashboard](https://manage.auth0.com/#).
2. Go to [Authentication > Enterprise > SAML](https://manage.auth0.com/#/connections/enterprise/samlp), and select the SAML connection you created previously.
3. Switch to the **Applications** view, and enable the connection for your chosen application(s).

## Test connection

You can test your connection in the Auth0 Dashboard.

1. Log in to the [Auth0 Dashboard](https://manage.auth0.com/#).
2. Go to [Authentication > Enterprise > SAML](https://manage.auth0.com/#/connections/enterprise/samlp).
3. Locate your connection in the list.
4. Select **More Actions** (**...** button), and then select **Try**.

   * If your connection is configured correctly, you'll see the **It works!** screen.
   * If not, you’ll see an error message with details about what went wrong.

<Warning>
  The **Try** button works only for users logged in to the Auth0 Dashboard. You can't send this to an anonymous user, such as a customer.

  If you don't have an Okta user, you need to create one or [**configure IdP-initiated SSO**](/docs/authenticate/protocols/saml/saml-sso-integrations/identity-provider-initiated-single-sign-on).
</Warning>

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  The user might see the Okta dashboard after authenticating through a Service Provider-initiated login flow. If you integrate your application with Auth0 using the OIDC protocol, Auth0 takes the value of the `state` parameter and passes it to Okta using the SAML `RelayState` parameter. Make sure that you set the `state` parameter to a value that Okta can use.
</Callout>

## Configure Global Token Revocation

This connection type supports a Global Token Revocation endpoint, which allows a compliant identity provider to revoke Auth0 user sessions, revoke <Tooltip tip="Refresh Token: Token used to obtain a renewed Access Token without forcing users to log in again." cta="View Glossary" href="/docs/glossary?term=refresh+tokens">refresh tokens</Tooltip>, and trigger back-channel logout for applications using a secure back-channel.

This feature can be used with Universal Logout in Okta Workforce Identity.

For more information and configuration instructions, see [Universal Logout](/docs/authenticate/login/logout/universal-logout).