# Set up Okta Set up Single Sign-On (SSO) integration between Okta and space.vars.product\_name (space.vars.product\_acronym). You will configure an Okta SAML 2.0 application and connect it to your space.vars.product\_acronym deployment for seamless user authentication. {% hint style="info" %} **NOTE** Only 5 active applications are allowed in Okta. Deactivate unused applications before creating new integrations. {% endhint %} ### Step 1: Create an Okta SAML application This step guides you through creating a new SAML 2.0 application integration in Okta. 1. Log in to your Okta server and navigate to **Applications**. Verify you have fewer than 5 active applications. If needed, deactivate unused applications. 2. Select **Create App Integration**.
3. Select **SAML 2.0** as the sign-on method.
4. Select **Next** to proceed to the general settings. ### Step 2: Configure SAML settings Configure the basic SAML integration settings for your PCD deployment. 1. On **General Settings**, enter a descriptive application name. 2. Select **Next** to proceed to SAML configuration.
3. In **Configure SAML**, enter the following required information: {% hint style="info" %} **NOTE** Replace ``with your PCD environment without any regions. Use `IDP1` for the default domain, or substitute your specific domain name for `` . {% endhint %} | Field | Description | | -------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Single sign-on URL** |

https\://\/sso/\/Shibboleth.sso/SAML2/POST
Example:

| | **Use this for Recipient URL and Destination URL** | Select this checkbox | | **Audience URI (SP Entity ID)** |

https\://\/keystone
Example:

| | **Default RelayState** | Leave blank | | **Name ID format** | EmailAddress | | **Application Username** | Okta Username | | **Update application username on** | Create and update | ### Step 3: Set up attribute statements Add attribute statements to pass user information from Okta to space.vars.product\_acronym . 1. Optionally, you can choose to update the **Attribute Statements** by adding the following mappings. | Name | Name Format | Value | | --------- | ----------- | -------------- | | FirstName | Unspecified | user.firstName | | LastName | Unspecified | user.lastName | | Email | Unspecified | user.email |
2. Select **Next** to continue. 3. In **Feedback**, select **Finish** to complete the application setup. You will be redirected to the application **Sign On Settings**, which displays the **Issuer** and **Metadata URL** needed for space.vars.product\_acronym configuration.
### Step 4: Assign users to the application Grant users access to the SAML application in Okta. 1. Navigate to the **Assignments** tab in your application. 2. Select **Assign**, then select **Assign to People**. 3. Select the users to give access to space.vars.product\_acronym through SSO. 4. Choose **Assign** to complete the user assignment. The Okta configuration is now complete. ### Step 5: Configure SSO in space.vars.product\_acronym Connect your space.vars.product\_acronym deployment to the Okta SAML application. 1. Log in to your space.vars.product\_acronym deployment using the DU FQDN for your target region. 2. Navigate to **Settings** > **Enterprise SSO**. 3. Select **Enable SSO**.
4. Select **Okta** as your SSO Provider. 5. Copy the **Issuer** from your Okta application **Sign On** and paste it in the **Entity ID** field. 6. Copy the **Metadata URL** from your Okta application **Sign On** tab and paste it in the **SAML Metadata URL** field. 7. Add the following XML configuration in the **SSO Provider Attribute MAP** field: {% tabs %} {% tab title="XML" %} ```yaml ``` {% endtab %} {% endtabs %} 8. Select **Save** to create the configuration. You will see a confirmation message as **SSO configuration saved**. ### Step 6: Create SAML groups and mappings Set up SAML groups to manage user permissions and role assignments in space.vars.product\_acronym. 1. Create a new SAML group with the following settings: | **Field** | **Description** | | --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | **Name** | Enter a descriptive group name | | **Description** | Provide a clear description | | **Username Attribute Mapping Template** |

Enter a template that defines how the username should be constructed using SAML attributes.
Use the format {attributeKey} where attributeKey corresponds to the attributes available in your identity provider

| | **Email Attribute Mapping Template** |

Enter a template that defines how the email address should be constructed using SAML attributes.
Use the format {attributeKey} where attributeKey corresponds to the attributes available in your identity provider

| **Template Examples:** * `{FirstName} {LastName}` - Combines first and last name with a space * `{FirstName}-{LastName}` - Combines first and last name with a dash * `{FirstName}xxxx{LastName}` - Combines first and last name with custom characters * `{Email}` - Uses the email attribute directly The attribute keys must match those configured in your identity provider's attribute mapping configuration. 2. Add a group mapping with these configurations. | **Field** | **Value** | | ------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **SAML Group Attribute** | `Email` | | **Criteria** | `Any one of` | | **SAML Group Values** |

Enter email addresses that match user assignments in your Okta application
(For example: , )

| 3. Assign roles and tenants from **Tenants & Roles**, by configuring the following. | Role | Description | | --------------------------- | --------------------------- | | **Admin** | Full administrative access | | **SSU (Self-Service User)** | Limited self-service access | | **ReadOnly** | View-only access | 4. Select **Add group** to complete the SAML group setup. ### Step 7: Verify the SSO integration Verify if your Okta SSO integration works correctly. 1. Log out of your current space.vars.product\_acronym session. 2. Navigate to your space.vars.product\_acronym environment URL to initiate a new login. 3. The system redirects you to Okta for authentication. 4. Enter your Okta credentials and complete any required multi-factor authentication (MFA). Upon successful authentication, Okta redirects you back to space.vars.product\_acronym with the appropriate user permissions. You have now successfully configured Okta SSO for space.vars.product\_acronym. Users can now access space.vars.product\_acronym using their Okta credentials with seamless single sign-on authentication. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.platform9.com/private-cloud-director/2026.1/identity-and-multi-tenancy/enterprise-sso/configure-okta-sso-for-pcd.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.