> ## Documentation Index
> Fetch the complete documentation index at: https://docs.minimus.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Okta SSO

> Configure single-sign-on (SSO) to Minimus via Okta

Okta is a popular identity provider that supports SAML. Configure single-sign-on (SSO) to Minimus via Okta. The process is standard for configuring a custom SAML app.

## Prepare the SSO form in Minimus

1. Go to **Manage** > **Users & Groups** ([direct link](https://images.minimus.io/manage/access/users?saml=open))
2. Click **Configure SSO** at the top of the page to open the Minimus SSO form.
   <Tip>
     Keep this form open and available in another browser tab as you configure the SAML app in Azure.
   </Tip>
3. The form has 4 parts:
   1. **Configure Minimus as a custom app in your identity provider** - You will need to copy these parameters from Minimus to Okta in the next steps.
      1. SP Entity ID
      2. Reply URL (Callback / ACS URL)
      3. Relay State (optional) - If you leave the Relay State blank, users will only be able to login with SSO from the Minimus homepage.
   2. **Connect Minimus to your identity provider** - You will need to fetch these parameters from your Okta custom app and save them in the Minimus form.
      1. Login SSO URL
      2. IdP Entity ID
      3. Certificate
   3. **SAML Attribute Mapping** - You will configure matching attributes in both Okta and Minimus.
   4. **Group Mapping** is optional and can be enabled if you plan to configure user groups. [See the instructions in user groups](https://docs.minimus.io/manage/user-groups).

## Add Minimus as a custom app in Okta

<Steps>
  <Step title="Create a Minimus application in Okta">
    1. Login to your Okta Admin Console.
    2. Create a new SAML application:
       1. In the left-menu, go to **Applications > Applications**.
       2. Select the option **Create App Integration**.
       3. Select **SAML 2.0** as the sign-in method.

    <Frame>
      <img src="https://mintcdn.com/gutsy-6162adbc/EqSGQ2Bhzeji_ueV/images/createappintegration.png?fit=max&auto=format&n=EqSGQ2Bhzeji_ueV&q=85&s=163f3c898f8e3c8f4674d808c3f6cda4" alt="" width="1803" height="1097" data-path="images/createappintegration.png" />
    </Frame>
  </Step>

  <Step title="Configure the general settings">
    1. Fill out the **General Settings**:
       1. Name the application. (We'll assume the name **Minimus App** was used for the rest of this guide.)
       2. Upload the Minimus logo to help your team identify the app in their app gallery. (This is not required but highly recommended.)
       3. Click **Next**.
  </Step>

  <Step title="Configure app parameters in Okta">
    <Frame>
      <img src="https://mintcdn.com/gutsy-6162adbc/EqSGQ2Bhzeji_ueV/images/okta-configure-saml-app.png?fit=max&auto=format&n=EqSGQ2Bhzeji_ueV&q=85&s=be74601472bf3e86e86e1c2105750b7f" alt="Okta Configure Saml App" width="1450" height="928" data-path="images/okta-configure-saml-app.png" />
    </Frame>

    1. Open the Minimus SSO form in another browser tab. You can use this [direct link](https://images.minimus.io/manage/access/users?saml=open) or navigate as follows: Go to **Manage** > **Users & Groups**. Then click **Configure SSO** at the top of the page.
    2. Copy the following parameters from the Minimus app to Okta. Note that the order of the parameters is different in the apps. The fields are shown according to their order in the Okta form:
       | Okta Parameter              | Minimus Parameter              |
       | --------------------------- | :----------------------------- |
       | Single sign-on URL          | Reply URL (Callback / ACS URL) |
       | Audience URI (SP Entity ID) | SP Entity ID                   |
       | Default RelayState          | Relay State                    |
    3. Fill out the rest of the fields in the Okta form:
       1. **Name ID Format** - Select **EmailAddress** from the dropdown list.
       2. **Application Username** - Select **Email** from the dropdown list.
       3. **Update application username on** - Leave the default. (It should be **Create and update**).

    <Warning>
      Only change the two settings explicitly mentioned above (Name ID Format and Application Username). Leave all other Okta configuration settings at their default values. Modifying advanced settings such as Assertion Signature, Response signing, or encryption settings will cause the SSO integration to fail.
    </Warning>
  </Step>

  <Step title="Configure attribute statements in Okta">
    Still in the same Okta tab, scroll down to the section **Attribute Statements (Optional)**.

    1. Select **add expression**
    2. Add the following 3 expressions:
       | Name                                                                                                                     | Expression                                     |
       | :----------------------------------------------------------------------------------------------------------------------- | :--------------------------------------------- |
       | email                                                                                                                    | user.profile.email                             |
       | Full Name                                                                                                                | user.profile.firstName + user.profile.lastName |
       | groups                                                                                                                   | user.getGroups(group1,group2,group3)           |
       | Replace the example `group1,group2,group3` with a comma separated list of your group names, for example, `admin,dev,qa`. |                                                |
           <Frame>
             <img src="https://mintcdn.com/gutsy-6162adbc/xyj2pzFXrbDrpB2R/images/okta-group-expression.png?fit=max&auto=format&n=xyj2pzFXrbDrpB2R&q=85&s=9502c90fc5d949520cbf1a2653812a37" alt="Okta Group Expression" width="1613" height="900" data-path="images/okta-group-expression.png" />
           </Frame>
    3. Once done, the Okta attribute statements should look like this:
           <Frame>
             <img src="https://mintcdn.com/gutsy-6162adbc/uMrm_UE7UdRcM4Hl/images/okta-attribute-expressions.png?fit=max&auto=format&n=uMrm_UE7UdRcM4Hl&q=85&s=22be4e7103f1007862e5e258276a54fe" alt="Okta Attribute Expressions" width="894" height="438" data-path="images/okta-attribute-expressions.png" />
           </Frame>

    <Warning>
      If you do not plan to use Okta groups for role-based access control, you can skip the groups expression. However, group roles are recommended for simplifying access control.
    </Warning>
  </Step>

  <Step title="Save your custom SAML app">
    1. Click **Next** to continue.
    2. Okta will ask for your feedback now that you have configured the custom SAML app.
    3. Click **Finish**.
  </Step>

  <Step title="Connect the Okta SAML app to Minimus">
    1. In Okta, under your newly created Minimus app:
       1. Switch tabs to **Sign On**. (You should be automatically navigated to this tab.)
       2. Expand **More details.**
    2. Copy the following parameters from Okta to Minimus. Note that the order of the parameters is different in the apps. The fields are shown according to their order in the Okta form:
       | Okta Parameter | Minimus Parameter |
       | :------------- | :---------------- |
       | Sign on URL    | Login URL         |
       | Issuer         | IdP Entity ID     |
           <Frame>
             <img src="https://mintcdn.com/gutsy-6162adbc/EqSGQ2Bhzeji_ueV/images/okta-sign-on-details.png?fit=max&auto=format&n=EqSGQ2Bhzeji_ueV&q=85&s=2709bd0858eb2589659f3c50b0b36191" alt="Okta Sign On Details Pn" width="1147" height="1048" data-path="images/okta-sign-on-details.png" />
           </Frame>
  </Step>

  <Step title="Download Base64 Certificate">
    1. Still on the same screen, download the signing certificate from Okta to Minimus.
    2. Open the certificate in notepad or another code viewer, and copy the code (including \`-----BEGIN CERTIFICATE... and ...END CERTIFICATE-----\`).
    3. Copy the certificate to the Minimus form.

    <Warning>
      If you copy the certificate, note that it will not include the opening and closing tags:\
      \
      \-----BEGIN CERTIFICATE-----

      \-----END CERTIFICATE----- \
      \
      You can paste the certificate between the tags provided by the placeholder.
    </Warning>
  </Step>

  <Step title="Fill out SAML Attribute Mapping in Minimus">
    Back in the Minimus SAML form, fill out the following under **Step 3: SAML Attribute Mapping**:

    | Minimus Parameter | Input to type in |
    | :---------------- | :--------------- |
    | Email             | email            |
    | Full name         | fullName         |

    If you plan to use groups, enable **Step 4: Group Mapping**. This step is optional. It is only relevant if you intend to configure [group roles](/manage/user-groups).

    * **Type: Google / Okta / Other** (This should already be selected by default).
    * **Group Mapping**: Type in `groups` to match the Okta attribute expression from a previous step.

    <Frame>
      <img src="https://mintcdn.com/gutsy-6162adbc/xyj2pzFXrbDrpB2R/images/saml-group-configuration.png?fit=max&auto=format&n=xyj2pzFXrbDrpB2R&q=85&s=349951b7ec6a2b827abe82b8abd7cca0" alt="Saml Group Configuration" width="1920" height="989" data-path="images/saml-group-configuration.png" />
    </Frame>
  </Step>

  <Step title="Save the Minimus SSO form">
    You are now ready to save the SSO configuration form in Minimus.
  </Step>
</Steps>

## Assign access in Okta

Grant Okta groups and/or users access to Minimus.

1. Login to your Okta Admin Console.
2. In the left-menu, go to **Applications > Applications**.
3. Select your **Minimus App** to open its details.
4. Select the **Assignments** tab.
5. Select **Assign > Assign to people / groups** and follow the instructions on the page.

<Frame>
  <img src="https://mintcdn.com/gutsy-6162adbc/EqSGQ2Bhzeji_ueV/images/okta-assign-users.png?fit=max&auto=format&n=EqSGQ2Bhzeji_ueV&q=85&s=87afff98577ceab7396546119aaf9cf8" alt="Okta Assign Users" width="1382" height="857" data-path="images/okta-assign-users.png" />
</Frame>

## Troubleshooting SSO access

When copying the certificate to Minimus, make sure there is no whitespace before or after the certificate. Also, check that the expected prefix and suffix are included.

```text theme={null}
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
```