Use Okta as a SAML identity provider

If you use Okta to centralize authentication and authorization in your business, you can integrate Kinde as a service provider for these processes. This gives you the benefits of Kinde’s robust auth capabilities, while keeping the familiar Okta structure.

You need to set up an enterprise connection in Kinde for this, and add an Okta application. See steps below.

Advanced configurations

Link to this section

Depending on your SAML set up, you may need to include advanced configurations for your connection. See Advanced SAML configurations.

Step 1: Add an Okta connection in Kinde

Link to this section

Add a connection for a specific organization

Link to this section

1. Go to Organizations and open the organization.
2. In the menu, select Authentication, then select Add connection.
3. In the Add connection window, select New enterprise connection, then click Next.
4. Select the Okta connection and then select Next.
5. Next: ‘Step 2: Configure the connection’.

Add a connection that can be shared across multiple organizations

Link to this section

1. Go to Settings > Environment > Authentication.
2. Scroll to the Enterprise connection section and select Add connection. The Add connection window opens.
3. Select the Okta connection and then select Save.
4. On the tile for the new connection, select Configure.
5. Next: ‘Step 2: Configure the connection’.

Step 2: Configure the connection

Link to this section

1. Enter a name for the connection.

2. Enter a random value for the Entity ID, e.g. 870sa9fbasfasdas23aghkhc12zasfnasd.

   

3. Enter the IdP metadata URL. This URL comes from your identity provider.

   

4. Enter a sign in URL if your IdP requires a specific URL.

5. If you want, select the Sign request algorithm and Protocol binding. The options you choose will depend on what your identity provider prefers or requires.

6. Select a Name ID format. This helps identify and link user identities between your IdP and Kinde.

7. Enter an Email key attribute. This is the attribute in the SAML token that contains the user’s email. Setting this value ensures that the email address returned in the SAML response is correctly retrieved. We do not recommend leaving this field blank, but if you do we will set ‘email’ as the attribute.

8. (Optional) Add a first name and last name key attribute.

   

9. Enter any relevant Home realm domains. This is how SAML recognizes a user’s credentials and routes them to the correct sign in page. Note that home realm domains need to be unique across all connections in an environment. Read more about home realm domains.

10. If you use home realm domains, the sign in button is hidden on the auth screen by default. To show the SSO button, select the Always show sign-in button option.

    

11. Copy the reply relevant URL:

    1. If you don’t use a custom domain, copy the Assertion customer service (ACS) URL.
    2. If you do use a custom domain, select the Use custom domain instead option and copy the custom domain URL. Later, add this URL to your identity provider configuration.

12. If you want to enable just-in-time (JIT) provisioning for users, select the Create a user record in Kinde option. This saves time adding users manually or via API later.

    

13. (Temporary feature) Select if you want to treat this connection as a trusted provider. A trusted provider is one that guarantees the email they issue is verified.

14. (Optional) In the Sign SAML request section, paste in the Signed certificate and Private key. You may have got these from your IdP or you may have generated yourself (see procedure above).

15. Enter any upstream params that you want to pass to the identity provider. Not all providers support this, so check their documentation first.

16. Select Save.

Step 3: Add and configure your Okta application

Link to this section

1. Sign in to the Okta admin console.

2. Select Applications > Applications.

   

3. Select Create App Integration. The Sign-in method options opens.

4. Select SAML 2.0 and then select Next. The app’s general settings opens.

   

5. Add a name in the App name field then select Next. The Configure SAML screen opens.

   

6. In the SAML settings section, enter the following values:

   1. Single sign-on URL: Paste the Assertion Customer Service (ACS) URL you copied from Kinde.
   2. Audience URI (SP Entity ID): Paste the Entity ID you copied from Kinde.
   3. Name ID format: Select EmailAddress.
   4. Application username: Select Email.
   5. Leave all other options to their default value and select Next.

7. In the next screen, select I’m a software vendor. I’d like to integrate my app with Okta, then select Finish. You will be redirected to the newly created application in Okta.

8. Select the Sign on tab and copy the metadata URL.

   

Step 3: Finish setting up your SAML connection in Kinde

Link to this section

1. Open the connection in Kinde. Via Organization > Authentication or via Settings > Authentication.
2. Scroll to the IdP metadata URL field and paste the Metadata URL you copied from Okta.
3. Enter the signed certificate and key information if you have it. You can do this later as well.
4. Switch on the connection. This will make it instantly available to users if this is your production environment.
   1. For environment-level connections, scroll down and select the apps that will use the auth method.
   2. For organization-level connections, scroll down and select if you want to switch this on for the org.
5. Select Save. You can now use Okta as an IdP for the selected applications.