# Okta

Okta provides a flexible yet simple Identity Provider solution that integrates easily with the Frame platform. Following the steps below, you simply need to locate, copy, and paste certain values between platforms. This process should take less than fifteen minutes. Refer to Okta documentation for additional information on how to configure Okta.

<p class="callout warning"> **Attention**  Please be aware that while Okta does have a pre-built Frame app, this app does not yet support group attributes. In order to use group attributes, you must configure the application manually as described below.</p>

## Getting Started

To begin, let's create a URL-friendly SAML2 Application ID (also referred to as Entity ID) that we'll use in a few places throughout our setup, as well as a Custom Label which will be displayed on the login page for users, for example.

Application ID: DC-OKTA-DEV  
Custom Label: Frame-OKTA

Also copy the Assertion URL

Click "add" to save the changes for later

  
Follow the steps to create a SAML 2 Provider explained in the [General SAML2 Integration](https://docs.difr.com/books/platform-administrators-guide/page/general-saml2-integration) section, until you see until you see the template with the missing configuration info, and copy the Metadata URL which will be needed later in the setup. From here leave the tab open, and continue with the configuration in the Azure console.

[![image.png](https://docs.difr.com/uploads/images/gallery/2025-11/scaled-1680-/Z8nimage.png)](https://docs.difr.com/uploads/images/gallery/2025-11/Z8nimage.png)

1. In a *separate/new tab*, log in to your Okta account as an Admin and open the Dashboard. Select **SSO Apps**.[![image.png](https://docs.difr.com/uploads/images/gallery/2025-11/scaled-1680-/2w8image.png)](https://docs.difr.com/uploads/images/gallery/2025-11/2w8image.png)
2. Click **Create App Integration** in the top-left corner of the page.[![image.png](https://docs.difr.com/uploads/images/gallery/2025-11/scaled-1680-/ALdimage.png)](https://docs.difr.com/uploads/images/gallery/2025-11/ALdimage.png)
3. 2. Select **SAML 2.0** and click **Next**.![Select SAML 2.0](https://docs.difr.com/uploads/images/gallery/2025-10/okta-saml2.png)
4. Provide an app **name** and **icon**. We've provided a Frame icon below for convenience:![Frame App Logo](https://docs.difr.com/uploads/images/gallery/2025-10/dizzion-logo-small.png)[![image.png](https://docs.difr.com/uploads/images/gallery/2025-11/scaled-1680-/M7Zimage.png)](https://docs.difr.com/uploads/images/gallery/2025-11/M7Zimage.png)
5. From there, you will be taken to the **SAML Settings** page.[![image.png](https://docs.difr.com/uploads/images/gallery/2025-11/scaled-1680-/ID4image.png)](https://docs.difr.com/uploads/images/gallery/2025-11/ID4image.png)
6. Next, it's time to paste our **AsserationURL** from the [Getting Started](https://docs.difr.com/link/86#bkmrk-getting-started) section of this page.
7. Next, we'll enter the following information:**Audience URI**: A DNS-compliant string. For this example, we will use `DC-OKTA-DEV`. This customer-defined string will be entered on the Frame side as our **Application ID** later on. You must use a unique Audience URI for your own IdP integration.
8. **Default RelayState**: This field can be left blank for SP-initiated SSO scenario. For IdP-initated SSO scenarios, you will need to specify the URL your IdP will redirect the user to once the user has authenticated to Okta. The value can be a [custom entity endpoint URL](https://docs.difr.com/books/platform-administrators-guide/page/authentication#entity-endpoint-urls) or a Launch Link URL.
9. Configure how Okta will specify the Subject for the SAML2 assertion.  
      
    ![SAML Settings - Name ID format, Application username](https://docs.difr.com/uploads/images/gallery/2025-10/okta-saml2-3b.png)**Name ID format**: Use value of **EmailAddress Application username**: Use value of **Email**
10. Select **Show Advanced Settings** in the bottom right corner and the Okta fields shown in the following screen will be visible.![SAML Advanced Settings](https://docs.difr.com/uploads/images/gallery/2025-10/okta-saml2-4.png)Update the following fields:  
    **Response**: Use value of **Unsigned Assertion Signature**: Use value of **Signed Other Requestable SSO URLs**: If you plan to use the Frame Login Page, add a second **Single sign-on URL** with the FQDN **api.difr.com.com** with an index of `1`. For example, [`https://img.frame.nutanix.com/saml2/done/docs-frame-okta/`](https://api.staging.difr.com/iam/5cdbd7c7-5acd-4152-9b11-d1e4cfe3ea53/login/done) for the above example.
11. **Add three Attribute Statements**. They must be exactly as shown here, including capitalization. Additionally, you can add “Group Attribute Statements” if you wish. We go into detail for passing group attributes/claims in later steps.  
      
    ![SAML2 Attribute Mappings](https://docs.difr.com/uploads/images/gallery/2025-10/okta-saml2-5.png)
12. Click **Next** and fill out the feedback page as desired.  
      
    ![Okta Feedback](https://docs.difr.com/uploads/images/gallery/2025-10/okta-saml2-6.png)
13. Click **Finish**.
14. You will automatically be taken to the **Sign On** page/tab where we'll obtain the final piece of information. Scroll down to the bottom box under the *Sign On Methods* section and right-click on the blue **Identity Provider metadata** link. Copy the link URL and save it somewhere to reference in later steps.  
      
    [![image.png](https://docs.difr.com/uploads/images/gallery/2025-11/scaled-1680-/IOOimage.png)](https://docs.difr.com/uploads/images/gallery/2025-11/IOOimage.png)
15. The Okta side of the setup is now complete. Next, we'll configure the Frame side of the integration using the the values we've copied from these steps in the Okta Dashboard.
16. Final Steps

### <span class="TextRun SCXW95714165 BCX0" data-contrast="none" lang="EN-US" xml:lang="EN-US"><span class="NormalTextRun SCXW95714165 BCX0" data-ccp-parastyle="heading 2">Configure the SAML2 Authentication Integration Provider in Frame</span></span>[<span class="TextRun SCXW95714165 BCX0" data-contrast="none" lang="EN-US" xml:lang="EN-US"><span class="NormalTextRun SCXW95714165 BCX0" data-ccp-charstyle="Hyperlink"> </span></span>](https://docs.dizzion.com/platform/identity-and-access/idp-integrations/entra-id#create-the-saml2-authentication-integration-provider-in-frame)<span class="EOP SCXW95714165 BCX0" data-ccp-props="{"134233117":false,"134233118":false,"134245418":true,"134245529":true,"335559738":600,"335559739":300}"> </span>

<div class="SCXW95714165 BCX0" id="bkmrk-open-up-a-new-tab-an"></div>1. Navigate back to your Frame tab and enter the following data into our **Add a SAML2 Identity Provider** form:
    
    <figure>[![image.png](https://docs.difr.com/uploads/images/gallery/2025-11/scaled-1680-/V7Mimage.png)](https://docs.difr.com/uploads/images/gallery/2025-11/V7Mimage.png)
    
    </figure>
    - **Application ID**: The value here **needs to match** the value set as the "Entity ID" from Step 5.
    - **Auth provider metadata**: Click the “XML” option and paste the contents of the Metadata XML file from Step 4.
    - **Custom Label**:. Allows Admins to customize Frame's Sign in page chiclets/buttons associated with this SAML2 integration.
    - **Authentication token expiration**: Choose a token expiration duration that supports your end-user workflows and complies with your security policies.
    - **Enable “Signed assertion”**
    - **<span class="TextRun SCXW207479778 BCX0" data-contrast="auto" lang="EN-US" xml:lang="EN-US"><span class="NormalTextRun SCXW207479778 BCX0">Assertion Consumer Service (ACS) URL</span><span class="NormalTextRun ContextualSpellingAndGrammarErrorV2Themed SCXW207479778 BCX0">:</span></span>**<span class="TextRun SCXW207479778 BCX0" data-contrast="auto" lang="EN-US" xml:lang="EN-US"><span class="NormalTextRun ContextualSpellingAndGrammarErrorV2Themed SCXW207479778 BCX0">  The</span><span class="NormalTextRun SCXW207479778 BCX0"> endpoint where the Identity Provider (IdP) delivers SAML authentication responses after a successful login.</span></span><span class="EOP SCXW207479778 BCX0" data-ccp-props="{"134233117":false,"134233118":false,"335559738":240,"335559739":240}"> </span>
    - **<span class="TextRun SCXW207479778 BCX0" data-contrast="auto" lang="EN-US" xml:lang="EN-US"><span class="NormalTextRun SCXW207479778 BCX0">Metadata URL</span><span class="NormalTextRun ContextualSpellingAndGrammarErrorV2Themed SCXW207479778 BCX0">:</span></span>**<span class="TextRun SCXW207479778 BCX0" data-contrast="auto" lang="EN-US" xml:lang="EN-US"><span class="NormalTextRun ContextualSpellingAndGrammarErrorV2Themed SCXW207479778 BCX0">  A</span><span class="NormalTextRun SCXW207479778 BCX0"> publicly accessible URL providing your Service Provider's SAML metadata, used by Identity Providers to configure and </span><span class="NormalTextRun SCXW207479778 BCX0">establish</span><span class="NormalTextRun SCXW207479778 BCX0"> trust.  
          
        </span></span>**<span class="EOP SCXW207479778 BCX0" data-ccp-props="{"134233117":false,"134233118":false,"335559738":240,"335559739":240}">Optional</span>**
    - <span class="NormalTextRun SCXW15592334 BCX0">Frame Login URL</span><span class="NormalTextRun SCXW15592334 BCX0">: </span><span class="NormalTextRun ContextualSpellingAndGrammarErrorV2Themed SCXW15592334 BCX0">user</span><span class="NormalTextRun SCXW15592334 BCX0"> is directed to this URL when the user wants to log back into Frame after being logged out due to inactivity.  
        </span>
    - <span class="NormalTextRun SCXW15592334 BCX0"><span class="TextRun SCXW99947813 BCX0" data-contrast="none" lang="EN-US" xml:lang="EN-US"><span class="NormalTextRun SCXW99947813 BCX0">Frame Logout URL</span><span class="NormalTextRun SCXW99947813 BCX0">: </span><span class="NormalTextRun ContextualSpellingAndGrammarErrorV2Themed SCXW99947813 BCX0">user</span><span class="NormalTextRun SCXW99947813 BCX0"> is directed to this URL when the user logs out of the Launchpad or if they decide to leave Frame after being logged out due to inactivity.</span></span><span class="EOP SCXW99947813 BCX0" data-ccp-props="{"134233117":false,"134233118":false,"335551550":0,"335551620":0,"335557856":16777215,"335559738":0,"335559739":0}">   
        </span></span>
    
    Click **Add**.
    
    You have successfully created your Okta integration with the Frame platform! Move on to the next section for configuring roles and permissions for your users, as well as information for passing Group attributes to Frame.

### <span class="TextRun SCXW95714165 BCX0" data-contrast="none" lang="EN-US" xml:lang="EN-US"><span class="NormalTextRun SCXW95714165 BCX0" data-ccp-parastyle="heading 3">Configuring SAML2 Permissions</span></span>[<span class="TextRun SCXW95714165 BCX0" data-contrast="none" lang="EN-US" xml:lang="EN-US"><span class="NormalTextRun SCXW95714165 BCX0" data-ccp-charstyle="Hyperlink"> </span></span>](https://docs.dizzion.com/platform/identity-and-access/idp-integrations/entra-id#configuring-saml2-permissions)<span class="EOP SCXW95714165 BCX0" data-ccp-props="{"134233117":false,"134233118":false,"134245418":true,"134245529":true,"335551550":1,"335551620":1,"335557856":16777215,"335559738":450,"335559739":300}"> </span>

1. Once the IdP is successfully configured on Frame, administrators will need to configure the authorization rules for the account from the **SAML2 Permissions** tab listed to the right of the **SAML2 Provider** tab, as discussed in our [Roles](https://docs.difr.com/link/81#bkmrk-roles) and [User Permissions with a SAML2 IdP](https://docs.difr.com/link/85#bkmrk-configuring-saml2-pe) sections.
2. Passing Group Attributes
3. You can authorize any groups of users you want to allow to use the Frame platform based on the user-group assignments you have configured in Okta. We recommend following the guidance of Okta's support team provided [in this link](https://support.okta.com/help/s/question/0D50Z00008G7UrC/can-you-pass-group-membership-as-part-of-the-saml-assertion-to-the-sp-) regarding group attribute statements with custom SAML applications.
4. Groups attribute and the associated set of Okta groups to insert in the SAML2 Response can be defined in Okta. In this example, enter `groups` for the group name attribute and define the group name inclusion filter.  
      
    ![Group Attribute Statements](https://docs.difr.com/uploads/images/gallery/2025-10/okta-group1.png)
5. Here's an example of a list of groups in Okta:  
      
    [![image.png](https://docs.difr.com/uploads/images/gallery/2025-11/scaled-1680-/Lq7image.png)](https://docs.difr.com/uploads/images/gallery/2025-11/Lq7image.png)
6. Assuming that one of the Okta groups that is passed to Frame is **Okta-Contractors**, the Frame administrator would specify a SAML2 permission where any user's SAML2 response contains a value of `Okta-contractors` in the `groups` SAML2 attribute will be granted Account Administrator role on Frame account Contractor Account.  
      
    ![Groups in Okta](https://docs.difr.com/uploads/images/gallery/2025-10/okta-group3.png)
7. Signing into Frame with Okta
8. Your new SAML2 auth integration will appear as button on your Frame login page. The URL for navigating to your Frame login page will vary depending on which level the SAML2 integration was configured. See our section about [Entities and URLs](https://docs.difr.com/books/platform-administrators-guide/page/authentication#entity-endpoint-urlsentity-endpoint-urls) to help pick the right one for you and your end-users and/or staff.
9. When landing on a URL configured for your Okta SAML2 Integration, your end-users should see an option like this:  
      
    [![image.png](https://docs.difr.com/uploads/images/gallery/2025-11/scaled-1680-/FoFimage.png)](https://docs.difr.com/uploads/images/gallery/2025-11/FoFimage.png)