SSO Setup Using Okta SAML

  • Updated on May 5, 2025
  • Published on Apr 26, 2025
  • 3 minute(s) read
  • KD
  • A
 Prev Next

What is SSO?

Single Sign On (SSO) is the process of connecting your identity provider (IdP) to an application or tool, so that the IdP can be used for logging in, rather than creating new accounts for every application/tool.

Within SSO, communications include:

  • Assertions:  statements by the IdP regarding statuses of authentication, authorization, and attributes. 

  • Responses:  reactions from the IdP with the message that the user has / has not been successfully authenticated. 

The Id provider Okta uses the protocol SAML to run their SSO process.

In order for the Graphiant Portal to be accessed for SSO by Okta, the Okta environment first must be configured to allow this.

Configuring Okta IdP to Access the Graphiant Portal

Step 1:  Setting up Graphiant as an Application in Okta

Log in to your Okta environment and navigate to the Applications page.

Click on 'Create App Integration'.

ChooseSAML 2.0”.

Provide the App name "Graphiant".

App logo:  If desired, upload a logo using PNG, JPG, or GIF format (smaller than 1MB and minimum resolution of 420 x 120 pixels).

App visibility:  

  • Do not display application icon to users:  Check this box to hide the integration from end users.

  • Do not display application in the Okta Mobile app:  Check this box to hide the integration in the Okta Mobile Apps Store on end user devices.

Click 'Next'.

Fill out the following fields:

  • Single sign-on URL:  The location to which the IdP will communicate.  Enter "https://api.graphiant.com/v1/auth/login/callback"

  • Use this for Recipient URL and Destination URL:  Selected by default, and uses the same URL for both recipient and destination URLs.  Leave checked.

  • Audience URI (SP Entity ID):  Intended audience of the SAML messages, usually the Entity ID of the application.  Enter "https://idp.graphiant.com"

  • Default Relay State:  URL of the resource to which to direct users after successful sign-in.  Leave this blank as no need to specify for Graphiant.

  • Name ID format:  The username format to send.  Select 'EmailAddress' from the drop-down list.

  • Application username:  Default value to use for a username in the application.  Select 'Email' from the drop-down list.

  • Update application username on:  This is when to update the application username.  Defaults to 'Create and Update', leave selected.

Then click on 'Show Advanced Settings'.

Verify the following values are correct.  If not, update them to match the above values.

  • Response:  Whether or not the IdP digitally signs the SAML authentication response message.  Select 'Signed'

  • Assertion Signature:  Whether or not the SAML assertion is digitally signed.  Select 'Signed'

  • Signature Algorithm:   Used to digitally sign both the SAML assertion and response.  Choose 'RSA-SHA256'

  • Digest Algorithm:  Used to digitally sign both the SAML assertion and response.  Choose 'SHA256'

  • Assertion Encryption:  Choose whether or not the SAML assertion is encrypted.  Choose 'Unencrypted'

  • Assertion Inline Hook:  Outbound call from Okta to an external device if custom code is established.  Select 'None (disabled)' from drop-down list

  • Authentication context class:  Type of authentication restriction for SAML assertion.  Select “PasswordProtectedTransport” from drop-down list

  • Honor Force Authentication:  Whether or not to prompt users for credentials.  Select 'Yes' from drop-down list

  • SAML Issuer ID:  If an override is required by an integration that requires extra attributes.  Leave default of "http://www.okta.com/$(org.externalKey)"

  • Attribute Statements:  Update and add the following three entries as above (all 'Name Format' fields are to be listed as 'Unspecified'):

Name

Value

email

user.email

lastName

user.lastName

firstName

user.firstName

   

Scroll down to the bottom of the page and click 'Next'.

Step 2:  Integrating Graphiant into Okta SSO

On that next page, select “I'm an Okta customer adding an internal app”.

Ensure that “It's required to contact the vendor to enable SAML” is checked.

Scroll down to the bottom of the page and click 'Finish'.

Once the app is created, navigate to the 'Sign On' tab.

Scroll down to the SAML 2.0 section, and click on 'More details'.

Copy the information from 'Sign On URL', 'Issuer' and 'Signing Certificate' fields to use in the Graphiant Portal.

Setting Up Okta SSO in the Graphiant Portal

To setup Okta SSO in the Graphiant environment, please send an email to support@graphiant.com requesting SSO setup for your environment and include your previously-saved Okta 'Issuer' link, Okta 'Sign On URL' and Okta 'Signing Certificate'.

Help for Okta SSO Failure

Should Okta SSO be enabled but go down, and therefore prevent access to the Graphiant Portal, reach out to Graphiant Support as described here

A Graphiant Customer Support engineer will be in touch and will disable the SSO. 

Logging in to the Graphiant Portal will now be able to occur without SSO until the issue is resolved.

Related articles