Okta as a SAML Identity Provider

To integrate Okta as a SAML 2.0 identity provider, you must create an app in Okta to enable trust with the service provider (Conga Auth Service). After creating an app, you need external_organization_id, Metadata Location URL, and Organization ID Claim Type details.

To create an app in Okta

1. Log in to Okta.
2. In the Admin Console, go to Applications > Applications.
3. Click Create App Integration.
4. Select SAML 2.0 as the sign-in method.
5. Click Next.
6. Provide the general information for the integration and then click Next.
7. In the General section, enter and select details for the following:
   1. Enter the following Acs endpoint per your environment and check Use this for the recipient URL and destination URL checkboxes.

      • Preview environment: https://login-rlspreview.congacloud.com/api/v1/auth/Saml2/Acs

      • Production environment: https://login-rls.congacloud.com/api/v1/auth/Saml2/Acs

   2. Enter the Conga Platform Auth endpoint in the Audience URI (SP Entity ID) field.
      • Preview environment: https://login-rlspreview.congacloud.com/api/v1/auth
      • Production environment: https://login-rls.congacloud.com/api/v1/auth
   3. Select the email address option for the name ID format field.
8. In the Advanced Settings section, configure the following details:
   1. Attribute Statements: Enter external_organization_id in the Name field and the unique value that is used as an external ID while configuring Okta as a SAML identity provider.
   2. SAML Request: Click the Browse files... and upload the signature certificate file (.CER file format). To generate the signature certificate:
      1. Use the following URL per your environment to download the service provider metadata file.
         • Preview environment: https://login-rlspreview.congacloud.com/api/v1/auth/Saml2 
         • Production environment: https://login-rls.congacloud.com/api/v1/auth/Saml2 
      2. Open the metadata XML file and go to the Base64-formatted X.509 certificate tag.
      3. Convert the Base64 to .CER format using this online tool.
      4. Copy the generated X.509 certificate with the header and save it with the .CER file extension.
   3. Log Out: Select and enter details for the following:
      1. SLO Initiation: Check the Allow app to initiate single logout checkbox.
      2. Response URL: Use the following URL per your environment:
         • Preview environment: https://login-rlspreview.congacloud.com/api/v1/auth/account/SamlLogout
         • Production environment: https://login-rls.congacloud.com/api/v1/auth/account/SamlLogout
      3. SP Issuer: Use the following URL per your environment:
         • Preview environment: https://login-rlspreview.congacloud.com/api/v1/auth
         • Production environment: https://login-rls.congacloud.com/api/v1/auth
9. Click Save.

To get the external_organization_id, Metadata Location URL, and Organization ID Claim Type details

1. Log in to Okta.
2. Go to the application configured for authentication.
3. Open the Sign On tab and go to the SAML 2.0 section.
4. Copy the Metadata URL value for use as a Metadata Location URL.
   
5. Open the General tab and go to the Attribute Statements section.
6. Find the external_organization_id value.