> ## Documentation Index
> Fetch the complete documentation index at: https://docs.omni.co/llms.txt
> Use this file to discover all available pages before exploring further.

<AgentInstructions>

## Submitting Feedback

If you encounter incorrect, outdated, or confusing documentation on this page, submit feedback:

POST https://docs.omni.co/feedback

```json
{
  "path": "/administration/authentication/okta/saml",
  "feedback": "Description of the issue"
}
```

Only submit feedback when you have something specific and actionable to report.

</AgentInstructions>

# Configuring Okta SAML authentication

> Configure service provider (SP)-initiated SAML authentication between Okta and Omni.

When enabled, users in your organization can log into Omni using their Okta credentials.

## Requirements

To follow the steps in this guide, you'll need:

* **Omni Organization Admin permissions**
* **Permissions in Okta that allow you to:**
  * Access the Admin console
  * Add & configure Okta applications

## Limitations

* **User sessions will expire after 24 hours**. This is not currently configurable.
* **Users will not be able to click the Omni tile in Okta to log in**. This is because Omni's current integration with Okta is not Identity service provider (IdP) initiated, but SP-initiated.

## Setup

<Steps>
  <Step title="Add the Omni application in Okta">
    1. Log in to your Okta Admin console.
    2. Navigate to **Applications > Applications > Browser App Catalog**.
    3. Search for the `Omni Analytics` application.
    4. Click **Add integration**.
    5. On the page that displays, enter your Omni **subdomain**. For example, if you log in to `https://blobsrus.omniapp.co`, you would enter `blobsrus`.
    6. Click **Save**.
  </Step>

  <Step title="Retrieve Okta Omni application details">
    Navigate to the Okta Omni application and then complete the following:

    1. In the Okta Omni application, open the **Sign on** tab.
    2. In the **SAML 2.0** section, click **More details**:
           <img src="https://mintcdn.com/omni-e7402367/pGnmRvM0SVfXp3bi/images/docs/administration/saml/okta/assets/images/okta-more-details-a710f0f0885f2954019b397e9b8361c0.png?fit=max&auto=format&n=pGnmRvM0SVfXp3bi&q=85&s=7654c5c629767ade201f28f16a77bf2c" alt="" width="1155" height="977" data-path="images/docs/administration/saml/okta/assets/images/okta-more-details-a710f0f0885f2954019b397e9b8361c0.png" />
    3. Keep this section open - you'll need the **Sign on URL**, **Issuer**, and **Signing certificate** handy to complete the next step.
           <img src="https://mintcdn.com/omni-e7402367/pGnmRvM0SVfXp3bi/images/docs/administration/saml/okta/assets/images/okta-sign-on-details-75cd3653da08da40fb35a8ad0e27901d.png?fit=max&auto=format&n=pGnmRvM0SVfXp3bi&q=85&s=49c428dd2da97c0274e9e568d3d3d1bb" alt="" width="1139" height="982" data-path="images/docs/administration/saml/okta/assets/images/okta-sign-on-details-75cd3653da08da40fb35a8ad0e27901d.png" />
  </Step>

  <Step title="Assign yourself to the Omni application">
    In this step, you'll assign the Okta Omni application to yourself. This will allow you to test the setup in Omni before rolling everything out to your organization.

    1. In the Okta Omni application, open the **Assignments** tab.
    2. Click the **Assign** button, then **Assign to people**.
    3. In the dialog that displays, click the **Assign** link next to your user.
    4. You'll be directed to confirm details about the user, including the email address and display name. Modify these settings as needed.
    5. When finished, click **Save and Go back**.
    6. Click **Done**.
  </Step>

  <Step title="Configure Omni authentication settings">
    In Omni, navigate to **Settings > Authentication** to complete the setup:

    * **Entity ID / Issuer** - Copy and paste the **Issuer** value from Okta

    * **SSO (Sign on) URL** - Copy and paste the **Sign on URL** value from Okta

    * **Certificate** - Use the **Copy** button next to the **Certificate** field in Okta, then paste the contents in Omni.

          <Warning>
            The certificate must include `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`, for example:

            ```txt wrap theme={null}
            -----BEGIN CERTIFICATE-----
            [Your Okta certificate contents]
            -----END CERTIFICATE-----
            ```

            After you paste the certificate into Omni, add these values above and below the certificate so that it looks like the above example.
          </Warning>

    * **Automatically provision new users on first login from this SAML provider** - Toggle this setting to **on** if:

      * You want to provision users only when they first access Omni **and**
      * You don't plan to set up SCIM provisioning

    * **Enable SAML login** - Toggle this setting to **on** to enable SAML authentication

    When finished, click **Save SAML changes**.

    <img src="https://mintcdn.com/omni-e7402367/Yjln-KKAZUa_xMOt/administration/authentication/images/omni-authentication-settings.png?fit=max&auto=format&n=Yjln-KKAZUa_xMOt&q=85&s=39a3c9cfd23ee9d9ece9e00d4d696bb4" alt="" width="970" height="873" data-path="administration/authentication/images/omni-authentication-settings.png" />
  </Step>

  <Step title="Test the setup">
    Test your SAML setup by logging out of Omni. On the Omni login page, you should see a **Log in with SAML** button. Click the button to log in using SAML.
  </Step>

  <Step title="Assign users to the Okta Omni application">
    <Tip>
      User groups can be pushed from Okta to Omni using SCIM. Check out the [Okta-Omni SCIM guide](/administration/authentication/okta/scim) for more information.
    </Tip>

    Once you confirm everything is working as expected, you can assign the Okta Omni application to other people and groups in your organization. **Not sure what permissions to use?** Refer to the [Connection permissions guide](/administration/users/permissions) for more information.

    In Okta:

    1. In the Okta Omni application, open the **Assignments** tab.
    2. Click the **Assign** button, then **Assign to people**.
    3. In the dialog that displays, click the **Assign** link next to the user.
    4. You'll be directed to confirm details about the user, including the email address and display name. Modify these settings as needed.
    5. When finished, click **Save and Go back**.
    6. Click **Done**.

    Users will now be able to navigate to Omni in their browser and use SAML to log in.
  </Step>
</Steps>

## What's next?

Setting up SAML allows your users to authenticate to Omni using their Okta credentials. With this setup completed, you can also:

* [Configure SCIM to auto-provision users & user groups in Omni](/administration/authentication/okta/scim)
* [Use SCIM to sync user attributes from Okta to Omni](/administration/authentication/okta/user-attributes)