> ## Documentation Index
> Fetch the complete documentation index at: https://docs.strata.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Okta (SAML)

The Okta (SAML) connector integrates the Maverics Orchestrator with Okta using the SAML 2.0 protocol -- providing an alternative to the OIDC-based Okta connector for environments that require SAML federation.

<Note>
  **Console terminology:** In the Maverics Console, this section is called
  **Identity Fabric**. The YAML configuration uses the `connectors` key to define
  identity provider integrations.
</Note>

## Overview

The Okta (SAML) connector supports SAML 2.0 SSO profiles including SP-initiated and IdP-initiated flows. For most deployments, the [Okta (OIDC) connector](/reference/orchestrator/identity-fabric/okta) is recommended as the more common integration path. Use the SAML variant when your environment requires SAML-based federation or when integrating with applications that only support SAML assertions.

## Use Cases

* **Unify SSO for SAML-dependent applications** -- Connect to Okta via SAML when legacy applications or compliance policies require SAML 2.0 federation instead of OIDC
* **Legacy application modernization** -- Bridge Okta SAML assertions to header-based or cookie-based authentication for legacy applications, extending SSO without rewriting them
* **Rationalize identity platforms through Okta** -- Consolidate authentication from multiple IdPs into Okta, reducing licensing overlap and simplifying identity operations
* **Okta failover with Continuity** -- Pair Okta SAML with a secondary IdP to maintain authentication availability during Okta service disruptions

## Setup

<Tabs>
  <Tab title="Console UI">
    To create an Okta (SAML) connector in the Maverics Console:

    1. Navigate to **Identity Fabric** in the Console sidebar.
    2. Click **Create** and select **Okta (SAML)**.

    <Note>
      The Console also offers **Okta (OIDC)** for OpenID Connect-based integration, which is the more common option. See the [Okta (OIDC) page](/reference/orchestrator/identity-fabric/okta) for details.
    </Note>

    3. Enter a **Name** -- the friendly name for your Okta SAML provider.
    4. Enter the **Metadata URL** -- the URL of the Okta SAML metadata document (e.g., `https://{your-org}.okta.com/app/{app-id}/sso/saml/metadata`).
    5. Enter the **Consumer Service (ACS) URL** -- the Assertion Consumer Service URL where Okta sends SAML responses.
    6. Enter the **Entity ID** -- the unique identifier for the Orchestrator as the SAML Service Provider.
    7. Optionally enter a **Logout Callback URL** for Single Logout (SLO) callback.
    8. Optionally enter the **SP Certificate Path** and **SP Private Key Path** for signing SAML requests.
    9. Optionally enable **IdP Initiated Login** to allow authentication flows started by Okta.
    10. Click **Save**.
  </Tab>

  <Tab title="Configuration">
    ```yaml maverics.yaml theme={null}
    connectors:
      - name: okta-saml
        type: saml
        samlMetadataURL: "https://{{ env.OKTA_ORG }}.okta.com/app/{{ env.OKTA_APP_ID }}/sso/saml/metadata"
        samlConsumerServiceURL: "https://orch.example.com/saml/callback"
        samlEntityID: "https://orch.example.com"
        tls: okta-tls
    ```

    ## Configuration Reference

    | Key                      | Type   | Required | Description                                                                                                                                            |
    | ------------------------ | ------ | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
    | `name`                   | string | Yes      | Unique connector identifier referenced by app policies and attribute providers                                                                         |
    | `type`                   | string | Yes      | Must be `saml`                                                                                                                                         |
    | `samlMetadataURL`        | string | Yes      | URL to the Okta SAML metadata XML -- the Orchestrator fetches this to discover SSO endpoints and signing certificates                                  |
    | `samlConsumerServiceURL` | string | Yes      | Assertion Consumer Service (ACS) URL where Okta sends SAML responses                                                                                   |
    | `samlEntityID`           | string | No       | Service Provider entity ID that identifies the Orchestrator to Okta                                                                                    |
    | `samlLogoutCallbackURL`  | string | No       | Logout callback URL for SAML single logout                                                                                                             |
    | `samlSPCertPath`         | string | No       | Path to the SP certificate file for signing SAML requests                                                                                              |
    | `samlSPKeyPath`          | string | No       | Path to the SP private key file for signing SAML requests                                                                                              |
    | `samlIDPInitiatedLogin`  | object | No       | IdP-initiated login configuration                                                                                                                      |
    | `cache`                  | string | No       | Cache name reference for SAML request data storage                                                                                                     |
    | `tls`                    | string | No       | Named TLS profile for metadata retrieval and IdP communication                                                                                         |
    | `healthCheck`            | object | No       | Health check monitoring configuration (see [Identity Fabric Configuration Reference](/reference/orchestrator/identity-fabric#configuration-reference)) |

    For the complete connector field reference including health check details, see [Identity Fabric Configuration Reference](/reference/orchestrator/identity-fabric#configuration-reference).
  </Tab>
</Tabs>

## Troubleshooting

* **Verify the Okta SAML metadata URL is accessible** -- The Orchestrator fetches the metadata XML at startup. The metadata URL is typically found in the Okta application's Sign On settings under "Identity Provider metadata."
* **Ensure the entity ID matches the Okta application** -- The `samlEntityID` value must match the Audience URI (SP Entity ID) configured in the Okta SAML application settings.
* **Check the Assertion Consumer Service URL** -- The `samlConsumerServiceURL` must match the Single sign on URL configured in the Okta SAML application. If behind a load balancer, use the external-facing URL.
* **SP signing certificate errors** -- If the Okta application requires signed authentication requests, ensure `samlSPCertPath` and `samlSPKeyPath` point to valid PEM files and the key matches the certificate.

## Related Pages

<CardGroup cols={2}>
  <Card title="Okta (OIDC)" icon="shield-halved" href="/reference/orchestrator/identity-fabric/okta">
    OIDC-based Okta connector (recommended for most deployments)
  </Card>

  <Card title="Generic SAML" icon="file-shield" href="/reference/orchestrator/identity-fabric/custom-saml">
    Generic SAML 2.0 connector
  </Card>

  <Card title="Identity Fabric" icon="id-badge" href="/reference/orchestrator/identity-fabric">
    Overview of all identity providers
  </Card>

  <Card title="Continuity" icon="arrows-rotate" href="/reference/orchestrator/identity-fabric/continuity">
    IdP failover connector
  </Card>
</CardGroup>
