SAML SSO with Okta¶
Step-by-step guide to integrate Faraday's SAML SSO with Okta.
Prerequisites: Faraday commercial edition, Okta developer/admin account. See SAML for general SAML configuration reference.
Note: This guide covers SAML 2.0 integration. For LDAP-based Okta authentication, see the LDAP with Okta guide.
Configuration Summary¶
| Okta Setting | Value |
|---|---|
| Single Sign On URL | https://<domain>/_api/saml/acs |
| Audience Restriction | https://<domain>/_api/saml/metadata.xml |
| Attribute Statement — Name | username |
| Attribute Statement — Value | user.email |
| Faraday Setting | Okta Source |
|---|---|
| SSO URL | Okta app → Sign On tab → Identity Provider Single Sign-On URL |
| Identity ID | Okta app → Sign On tab → Identity Provider Issuer |
| IdP Certificate | Okta app → Sign On tab → X.509 Certificate (download) |
Replace <domain> with your Faraday server's FQDN throughout.
Step-by-Step Setup¶
Step 1 — Access Okta Admin Console¶
- Navigate to Okta.
- Log in with a user account that has administrative privileges.
- Open the Admin console.
Step 2 — Create a SAML App Integration¶
- In the Admin console, go to Applications → Applications.
- Click Create App Integration.
- Select SAML 2.0 as the Sign-in method.
- Click Next.
Step 3 — Set General Settings¶
- Enter the name of your integration (e.g., "Faraday").
- Optionally upload a logo.
- Click Next.
Step 4 — Configure SAML Settings¶
-
On the Configure SAML tab, enter:
Field Value Single Sign On URL https://<domain>/_api/saml/acsAudience Restriction https://<domain>/_api/saml/metadata.xml -
In the Attribute Statements section, add:
Name Value usernameuser.email -
Click Next.
Step 5 — Complete App Creation¶
- On the final step, select the options that suit your organization.
- Click Finish.
Step 6 — Copy IdP Credentials¶
- On your app's page, go to the Sign On tab.
-
In the Settings section, locate the SAML setup information:
Okta Field Faraday Setting Identity Provider Single Sign-On URL sso_url(SSO URL)Identity Provider Issuer identity_id(Identity ID)X.509 Certificate idp_certificate(IdP Certificate — click Download) -
Click Save.
Step 7 — Assign Users¶
- Go to the Assignments tab of your Okta app.
- Click Assign and select users or groups who should have access.
- Click Done.
Step 8 — Generate SP Certificates¶
On your Faraday server, generate the Service Provider certificate pair:
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 1825 -out certificate.pem
certificate.pem→ SP Certificate in Faraday settingskey.pem→ SP Private Key in Faraday settings
Step 9 — Configure Faraday¶
Apply the settings via CLI:
faraday-manage settings -a update saml
Fill in the prompts:
| Prompt | Value |
|---|---|
enabled |
True |
display_name |
Okta (or your preferred label) |
user_role |
pentester (recommended default) |
admin_group |
(optional — Okta group name for admin mapping) |
attribute_identifier |
username (matches the attribute statement from Step 4) |
sso_url |
Identity Provider Single Sign-On URL from Step 6 |
sp_certificate |
Contents of certificate.pem |
sp_private_key |
Contents of key.pem |
idp_certificate |
Contents of downloaded X.509 certificate from Step 6 |
Alternatively, configure via the Web UI at Preferences → Authentication → SAML.
Step 10 — Restart Faraday¶
systemctl restart faraday-server
Step 11 — Test the Integration¶
- Open the Faraday login page.
- Click the SSO button labeled with your
display_name. - Authenticate with your Okta credentials.
- Verify you are redirected back to Faraday with an active session.
Attribute Mapping¶
Okta sends SAML assertions containing user attributes defined in the Attribute Statements section of the SAML configuration.
The mapping configured in Step 4 sends user.email as the username
attribute. Ensure attribute_identifier in Faraday matches the Name
field.
Common Okta Attribute Values¶
| Value | Description |
|---|---|
user.email |
User's primary email (recommended) |
user.login |
Okta login identifier |
user.firstName |
First name |
user.lastName |
Last name |
user.displayName |
Display name |
Group Attribute Statement (Optional)¶
To enable group-based role mapping in Faraday, add a Group Attribute Statement in the Okta SAML configuration:
| Name | Filter | Value |
|---|---|---|
groups |
Matches regex | .* (or a specific filter) |
Then set admin_group in Faraday to the Okta group name that should map to
admin access.
Troubleshooting¶
| Symptom | Cause | Solution |
|---|---|---|
| "User is not assigned to this application" | User not assigned in Okta | Assign the user or their group under the Assignments tab |
| Wrong username in Faraday | Attribute Statement value mismatch | Verify the Name/Value in Attribute Statements matches attribute_identifier |
| "Invalid audience" error | Wrong Audience Restriction URL | Verify URL is exactly https://<domain>/_api/saml/metadata.xml |
| SSO URL not working | Copied wrong URL from Okta | Use the Identity Provider Single Sign-On URL, not the Okta dashboard URL |
| IdP certificate error | Downloaded wrong certificate | Re-download from the SAML setup section under the Sign On tab |