Create SAML app in Opal and Okta
When logged into Okta as an administrator, click on Applications on the left sidebar.
Click on the Create App Integration button, then select SAML 2.0 and click on Next.
Name your SAML app Opal. You can use this brand asset as the app icon.
For Single Sign On URL and Audience URI, copy and paste the ACS URL and Entity ID from the SAML Identity Provider Configuration section of the Opal Admin UI page (which can be found under the /admin page of the Opal app).
In the Attribute Statements page, input given_name, family_name, and email as first name, last name, and email, respectively, like in the following image:
Leave all other fields in their default state.
Click Next to the next page.
Select I'm an Okta customer adding an internal app.
When the application creation is completed, navigate to the Assignments tab in the app and add users or groups who you want to grant SAML access to. The email address of each user must match the email address of the Opal account in order for the user to log into Opal via SAML.
After completing the assignment, navigate to the Sign on tab of the app and click on View setup instructions (it should look like the image below):
When clicking on View Setup Instructions, copy the Identity Provider Single Sign-On URL and download the X.509 certificate.
Copy the URL from the previous step into the Identity Provider SAML 2.0 SSO URL field of the SAML Authentication Settings section of the Opal Admin page (image below). Also upload the certificate downloaded from the previous step (by selecting Upload Certificate). Then click Save Changes.
This will create the SAML integration between Okta and Opal!
Test provider initiated SAML flow from Opal
Navigate to Opal, then log out of your Opal account.
Click Continue with SAML on the Opal login screen.
Manually type your email address in the Email field. This email must have the same domain name as whoever created the SAML app in the Opal UI earlier (e.g. if [email protected] created the SAML integration, the SAML integration will be tied only to users with the opal.dev domain). This email must also be associated with an Okta user (either as a single or user or within an Okta group) assigned in the Okta SAML app, described in Step 10.
This should prompt you to log in with Okta.
You may arrive at this linking screen (below). If so, you should click continue and log in with the account corresponding to your email address.
At this point, if you have been granted access via Okta, you should be able to log into Opal!