Sailpoint and OKTA SSO implementation Demo environment

Which IIQ version are you inquiring about?

I have implemented in sailpoint 8.3 and 8.4 SSO using SP initiative flow. attached okta logs

okta log details.txt (5.6 KB)

``` I configured SP-initiated SAML SSO between SailPoint IdentityIQ and Okta. I created a SAML application in Okta using the SailPoint SP details and then configured SailPoint with the Okta IdP metadata. ```

```

I created users in both SailPoint and Okta with the same email address and assigned the Okta user to the application. ```

```

When I initiate login from SailPoint, it redirects correctly to Okta. After entering the username and completing MFA, Okta authentication succeeds. The Okta logs show a successful authentication, and the SAML assertion is returned to and accepted by SailPoint. However, instead of logging the user into SailPoint, it redirects back to the SailPoint login page. ```

```

I have attached the Okta SAML instructions and SailPoint SP configuration. Could someone please help me identify what might be missing or incorrectly configured? ```

``` What is the ACS URL do we need to configure in Sailpoint side ? ```

attached screen shots

okta log details.txt (5.6 KB)

OktaSAML_Correlate_By_Email_Debug.xml (3.2 KB)

Please share any other relevant files that may be required (for example, logs).

[Please insert files here, otherwise delete this section]

Share all details about your problem, including any error messages you may have received.

[Replace this text with the problem that you are facing]

Hello Nandana Gopu, looking at your screenshots and logs, I think the issue is the ACS URL. The SAML response is being posted to: http://localhost:8085/iiq83/saml/SSO

That seems to be returning 404 in your setup, so the assertion probably never reaches IIQ’s SAML processing. SailPoint documents the ACS URL in this format:

http://localhost:8085/iiq83/home.jsf (IIQ SSO Configuration docs)

I would try setting that same URL in IIQ under Service Provider > SAML URL (ACS), & also in Okta for the Single Sign-On URL, Recipient URL, and Destination URL. The Audience/Entity ID should stay as: http://localhost:8085/iiq83

One more thing I noticed, the Okta settings screenshot looks like it’s from a different app (sailpointidentityiqrakesh_1 on port 8080/iiq8.4), but the app in your Okta logs is Sailpoint_Okta_Intergration_N on 8085/iiq83. You might want to double check you are updating the right Okta app.

I would fix the ACS URL & the app mismatch first and test again. If it still redirects to login after that, check your IIQ logs for the correlation rule output. Your rule already has log.error statements in place, so you should be able to see the exact assertionAttributes map, the NameID key, & whether it matched an identity.

@punna0001 - Thank you so much. Let me try and update you