# Okta

Configure Okta as a SAML identity provider for sfp.

> Use the URL that matches your deployment mode. **Self-hosted**: replace `<your-domain>` with your sfp server domain. **Cloud**: use `auth.flxbl.io`. See [URL convention](/flxbl/sfp-server/setting-up/saml-authentication/identity-providers.md#url-convention).

***

## 1. Create the application

1. Sign in to your Okta admin dashboard.
2. Go to **Applications** → **Applications** → **Create App Integration**.
3. Choose **SAML 2.0** and click **Next**.
4. Give it a name (e.g. "sfp SSO") and click **Next**.

***

## 2. Configure SAML

On the **Configure SAML** step:

| Field                                          | Value                                             |
| ---------------------------------------------- | ------------------------------------------------- |
| Single sign-on URL                             | `https://<your-domain>/auth/v1/sso/saml/acs`      |
| Use this for Recipient URL and Destination URL | checked                                           |
| Audience URI (SP Entity ID)                    | `https://<your-domain>/auth/v1/sso/saml/metadata` |
| Default RelayState                             | leave blank                                       |
| Name ID format                                 | `EmailAddress`                                    |
| Application username                           | `Email`                                           |

***

## 3. Configure attribute statements

In **Attribute Statements**, add:

| Name          | Name format | Value              |
| ------------- | ----------- | ------------------ |
| `email`       | Basic       | `user.email`       |
| `firstName`   | Basic       | `user.firstName`   |
| `lastName`    | Basic       | `user.lastName`    |
| `displayName` | Basic       | `user.displayName` |

The Name ID itself is set by the previous step (`EmailAddress` → `user.email`). The attribute statements above expose the user's profile fields to sfp.

Click **Next**, fill in the feedback step, and **Finish**.

***

## 4. Copy the metadata URL

After the app is created:

1. Open the **Sign On** tab.
2. Under **SAML Signing Certificates** (or **SAML Setup**), click **View SAML setup instructions** or copy the **Identity Provider metadata** URL.

It looks like:

```
https://<your-org>.okta.com/app/<app-id>/sso/saml/metadata
```

This is the only thing you need to hand to sfp.

***

## 5. Assign users

1. Open the **Assignments** tab.
2. Click **Assign** → **Assign to People** (or **Assign to Groups**).
3. Pick the users or groups that should have sfp access.

Users not assigned here will be rejected at Okta before they reach sfp.

***

## Next step

Continue with [Self-Hosted Setup](/flxbl/sfp-server/setting-up/saml-authentication/self-hosted-setup.md) or [Cloud Setup](/flxbl/sfp-server/setting-up/saml-authentication/cloud-setup.md) to register the IdP with sfp.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.flxbl.io/flxbl/sfp-server/setting-up/saml-authentication/identity-providers/okta.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.