Skip to main content

Okta SAML

The following manual configuration creates a SAML SSO configuration for your Enterprise organization.

Prerequisites

  • Owner role in an Enterprise organization

  • Okta account with admin access

Supported features

This configuration supports the following:

  • Service Provider initiated SSO

  • Single Log Out [optional]

Configuration steps

Before configuring SSO, you need to assign a namespace and create a Service Provider certificate and private key. These important steps provide information you need to enter later.

Create your namespace:

  1. Go to Organization > SSO.

  2. Under Namespace, enter the namespace you want for your organization. For example, acme_corp. Your organization members enter this namespace when they log in via SSO.

  3. Under SSO type, select SAML 2.0.

Download your Make Service Provider certificate:

  1. Go to Organization > SSO.

  2. Scroll down to find Service Provider Certificates.

  3. Find a certificate. If unsure, check the Valid from and Expires columns.

  4. Under Actions, click chevron.png.

  5. Select Download.

  6. Optional: Click Activate if your certificate is not activeStatus.png

Your browser downloads your certificate. Locate the .pem file and have it ready to upload later.

Steps on Okta

  1. Log in to Okta and go to Admin > Applications > Applications.

  2. Click Create app integration and select SAML 2.0.

  3. Name your app and upload your icon.

  4. Click Next.

  5. Configure the following SAML settings:

    Single sign-on URL

    You can find this URL in the Redirect URL field of the SSO configuration in your Make organization. Be sure to replace {namespace} with your actual namespace.

    Example: https://www.make.com/sso/saml/examplenamespace

    Audience URI (SP Entity ID)

    Add /metadata.xml to the URL in the Redirect URL field of the SSO configuration in your Make organization.

    Example: https://www.make.com/sso/saml/examplenamespace/metadata.xml

    Default RelayState

    Leave this field blank

    Name ID format

    Select EmailAddress

    Application username

    Select Okta username

    Update application username on

    Select Create and update

  6. Click Show advanced settings and enter the following:

    Response

    Select Signed

    Assertion signature

    Select Signed

    Signature algorithm

    Select RSA-SHA256

    Digest algorithm

    Select SHA256

    Assertion encryption

    Select Unencrypted

    Note

    Optional

    If you want to encrypt assertions, you can select Encrypted and enter the following:

    Encryption algorithm

    AES256-CBC

    Key transport algorithm

    RSA-OAEP

    Encryption certificate

    Upload the .pem file you created earlier.

    In step 4 of the following procedure on Make, select No for Allow unencrypted assertions.

    Signature certificate

    Upload the .pem file of the Service Provider Certificate you downloaded earlier. This must be an active certificate from the Service Provider Certificate section of your Make SSO configuration tab.

    Enable Single Logout

    Leave unchecked

    Signed requests

    Optional

    Other requestable SSO URLs

    Optional

    Assertion inline hook

    Select None (disable)

    Authentication context class

    Select PasswordProtectedTransport

    Honor force authentication

    Select Yes

    SAML issuer ID

    http://www.okta.com/${org.externalKey}

  7. Enter the following attributes and click Next.

    Name

    Name format

    Value

    profileFirstName

    Unspecified

    user.firstName

    profileLastName

    Unspecified

    user.lastName

    email

    Unspecified

    user.email

  8. Select the following options and click Finish.

    Are you a customer or partner?

    Select I'm an Okta customer adding an internal app

    App type

    Select This is an internal app that we have created

To locate your IdP login URL and certificate:

  1. Go to Admin > Applications > Applications and select your SAML SSO app. to access the necessary information.

  2. Go to the Sign on tab and click View SAML setup instructions.

Steps on Make

  1. Go to Organization > SSO.

  2. Enter the following information from Okta into the IdP login URL and Identity provider certificate fields.

    Field on Okta

    Field on Admin > System settings

    Identity provider single sign on URL

    IdP login URL

    X.509 certificate

    Identity provider certificate

  3. Enter the following in the Login IML resolve field:

    {"email":"{{get(user.attributes.email, 1)}}","name":"{{get(user.attributes.profileFirstName, 1)}}{{get(user.attributes.profileLastName, 1)}}","id":"{{user.name_id}}"}
  4. Select the following settings:

    Allow unencrypted assertions

    Yes

    Allow unsigned responses

    No

    Sign requests

    Yes

  5. Click Save.

Service Provider initiated SSO

  1. Go to Make's login page.

  2. Click Sign in with SSO.

  3. Enter the namespace you chose for your organization.

  4. Log in using your Okta credentials and consent to Make's access to your user data.

Troubleshooting

When you save the SSO configuration, you automatically receive an email with a link to bypass SSO login. Use this link to log in and adjust your configuration as needed.