# Use Okta as your Identy Provider

## Overview

After enabling Onum as a service provider, you can set up Okta as an identity provider for SAML. You need to create a SAML app in your Okta admin dashboard to register your **Callback URL** so that Okta can send SAML responses to the correct location.

## Set up your custom Okta app

{% hint style="warning" %}
To activate Okta as an identity provider for SAML authorization, you need an Okta administrator account.
{% endhint %}

{% stepper %}
{% step %}
Log in to your Okta admin dashboard. In the left menu, go to **Applications > Create App Integration**. Choose **SAML 2.0** as the **Sign-in method** and click **Next**.
{% endstep %}

{% step %}
Enter a name for the app (e.g., *MyApp SAML SSO*) and optionally, upload an app icon. Click **Next**.
{% endstep %}

{% step %}
Now, enter these details from Onum:

{% hint style="warning" %}
Onum will not show the required **Callback URL** until you enter the identity provider details, so we will enter a placeholder URL here. 
{% endhint %}

<table><thead><tr><th width="170.08984375">Parameter</th><th>Description</th><th data-hidden></th></tr></thead><tbody><tr><td><strong>Single sign-on URL / Audience URI</strong></td><td>Enter a temporary URL in these fields (eg, <code>https://placeholder.example.com/saml/acs</code>). You can copy the <strong>Callback URL</strong> if you already know it, or just use a dummy placeholder. We'll edit these fields later with the real value.</td><td></td></tr><tr><td><strong>Default RelayState</strong></td><td>You can leave this blank.</td><td></td></tr><tr><td><strong>Name ID format</strong></td><td>Select <strong>Unspecified.</strong></td><td></td></tr><tr><td><strong>Application username</strong></td><td>Select <strong>Email</strong>.</td><td></td></tr></tbody></table>

Click **Next** when you're done.
{% endstep %}

{% step %}
Choose which users or groups in Okta should have access, then click **Done**.
{% endstep %}

{% step %}
Once the app is created, Okta provides you with the IdP metadata.&#x20;

Now access Onum and go to the **Authentication** area in your Admin menu. Once there, click the **Configure Single-Sign-On** button and select **SAML** in the **Authentication method** field. Enter the following in the fields that appear:

<table><thead><tr><th width="169.69140625">Parameter</th><th>Description</th><th data-hidden></th></tr></thead><tbody><tr><td><strong>IdP Entity ID</strong></td><td>Enter the <strong>Identity Provider Issuer</strong> from your Okta app.</td><td></td></tr><tr><td><strong>Single Sign-On URL</strong></td><td>Enter the <strong>Identity Provider Single Sign-On URL</strong> from your Okta app.</td><td></td></tr><tr><td><strong>Certificates</strong></td><td>Paste the <strong>X.509 Certificate</strong> from your Okta app.</td><td></td></tr></tbody></table>

Now click **Save**. You'll be given a **Callback URL**.
{% endstep %}

{% step %}
Go back to your Okta dashboard and click **Applications >&#x20;*****Your SAML App*****&#x20;> General > SAML Settings > Edit**. Replace the placeholders with the real **Callback URL** you got in Onum. Save changes.
{% endstep %}
{% endstepper %}

Done! Okta is now your identity provider for Onum.