Integrate Okta

Use Okta as the identity provider (IdP) and Enterprise Application Access (EAA) as the service provider (SP) to access an EAA application. This allows any application in Enterprise Application Access to use Okta as the single sign-on (SSO) mechanism.

Authenticate EAA with Okta

Redirect users to the Okta login portal to complete authentication.

  1. Create an Okta developer account. Okta offers free developer accounts granting full functionality but limited to 3 applications and 100 users - perfect for lab and testing purposes. Sign up at

  2. Import Active Directory (AD) users and groups into Okta.

    1. Log in to the Okta development portal.

    2. Click Admin to access to main Administration UI.

    3. To import users and groups from the Active Directory (AD), select Directories > Directory Integrations > Add Active Directory.

    4. Follow the on-screen instructions to install and approve the Okta AD Agent onto a host in your AD domain.

    5. Select the users and groups to sync from the AD to Okta.
      Optionally, select the username format to use during Okta login.

    6. Select the AD user attributes to import to Okta.

    7. To import users, click Import > Import Now > Full import.

    8. When you import AD users for the first time you need to create associated Okta accounts. Select all imported users and confirm the assignments.

    9. To activate the new user accounts, select Directory > People.

    10. Filter the list. Select Pending Activation, and activate all of the new accounts.
      Your People list shows the AD users in an active state.

  3. Create a new application in Okta.

    1. In Okta, select Applications, and click Applications.

    2. Click Add application > Create new app.

    3. Select SAML 2.0 as the sign-on method.

    4. Type your application name, add an optional logo, and select all of the options in App visibility.

    5. Follow the on-screen instructions to complete the Okta application creation process.

    6. When the Okta application is ready, click the Identity Provider metadata link to download the metadata.xml file.

  4. To add a new identity provider (IdP) in EAA return to the Enterprise Center.

    1. Add a new identity provider, and select Okta as the identity provider type.

    2. Upload the metadata.xml file.
      Optionally, set a Logout URL.

  5. Return to the Okta development portal and assign the users, or groups, that you imported to the application. Click either People or Groups.
    An application with your AD users assigned to it is ready.

  6. Allow front-end authentication to be completed by Okta.

    1. In the Enterprise Center, assign the Okta directory to an EAA application. For more information see assign a directory to an application.

    2. Click Change service, and select the Okta directory.

  7. Deploy the application.
    Users are not redirected to the Okta login portal to complete authentication.

Add Okta as an IdP in EAA

Depending on the custom application configuration, the Okta-to-Enterprise Application Access SAML integration currently supports the following features:


This setup might fail without parameter values that are customized for your organization. Please use the Okta Administrator Dashboard to add an application and view the values that are specific for your organization.

  1. Add a new identity provider.

  2. Configure the following general settings:

    1. In Identity intercept, select either Use your domain or Use Akamai domain. If you select Use your domain EAA provides a CNAME redirect for the application. Use this to configure the CNAME in your external DNS.

    2. Certificate preference. If you select User your domain, select Use uploaded certificate.

    3. Akamai cloud zone. Select an EAA cloud zone that is closest to the user base.

    4. Certificate authentication (optional). To enable client certificate authentication select it, and configure the required parameters.

  3. Configure the following authentication settings:

    1. URL (optional). Enter your Okta subdomain.

    2. Logout URL. Sign in to the Okta Admin Dashboard to generate this variable, copy it, and paste here.

    3. Sign SAML request (optional). If Okta requires a signed SAML request in the SP-initiated SAML flow, select it to send the signed SAML assertion to Okta.

    4. Encrypted SAML response. If Okta sends encrypted SAML responses to Enterprise Application Access, when Enterprise Application Access is the SP, select it to use certificates to encrypt responses.

    5. Upload IdP metadata file. Download the metadata.xml file for the EAA SAML SP endpoint from the Okta Admin Dashboard, and click Choose file.

  4. Leave the default session settings for Session idle expiry, Limit session life, and Max session duration.

  5. Click Save.

Assign Okta IdP to an application and map attributes

Configure SSO for an access application using custom headers and attribute mapping. For access applications, Enterprise Application Access (EAA) can provide single sign-on (SSO) using custom headers. EAA uses the various attributes it receives as part of SAML assertion from Okta and injects X-forwarded-for headers with custom attributes.

  1. Assign identity providers to an application, and select Okta as the IdP.

  2. Click Save.

  3. Return to the application and select Advanced settings > Custom HTTP headers.

  4. Configure the following attribute mapping:

    1. In Header name, type a header name.

    2. In Attribute, select custom.

    3. Enter the SAML attribute names. See the list of Okta supported attributes.

  5. Click Save.

  6. Deploy the application.


To configure an IdP-initiated SSO, see Stimulating an IdP-initiated flow with the Bookmark app and use the EAA application URL in the Okta Bookmark app URL field.