Okta + IDN SSO Integration

Hi Team,

We have followed this document for SSO integration of Okta as IdP and IDN as SP -
https://community.sailpoint.com/t5/IdentityNow-Articles/IdentityNow-Okta-Single-Sign-On-Integration/ta-p/141223

Even the Okta team had followed the same steps on their end as well.

But when I click on IdentityNow tile on Okta Home page, I see the error as below:

<error_description>Full authentication is required to access this resource</error_description>
unauthorized

Can someone suggest what could the reasons for the above error? or if they have faced this before?

Thanks,
Archana

Hi Archana,

Can you try changing Application username field in Okta SAML settings to Email. I have recently set up and it works fine with this setting. In addition to this, can you crosscheck the people under this app are present in SailPoint with the matching email across both Okta and SP accounts.

I got Okta SAML SSO to work, following the documentation, but it can only SSO with NameID being the email address.

I tried to set it to Okta ID but it didnt work. Anyone done this successfully before?

I got SSO to work with Okta ID.
IDN doesnt look at NameID in SAML assertion, it looks for ‘email’ attribute - so if you put the Okta ID in email attribute, it works.

<saml2:AttributeStatement xmlns:saml2=“urn:oasis:names:tc:SAML:2.0:assertion”>
<saml2:Attribute Name=“email” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified”>
<saml2:AttributeValue xmlns:xs=“XML Schema” xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance” xsi:type=“xs:string”>00u15xr8936zGKclx0h8</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>

My message above is not correct.
You can SSO using Okta ID (identity mapping attribute), but Okta ID must be searchable!

API to Extend Customizable Correlation Attributes - Compass (sailpoint.com)

POST {{api_url}}/cc/api/identityAttribute/update?name=oktaId

in the JSON body, set “searchable”: true