# Okta Authentication

> :::note
The following steps are valid for Okta SAML setup. Please note that the following procedure is a broad description of a **sample configuration**. For a fully detailed how-to, visit the official [Okta documentation](https://developer.okta.com/standards/SAML/setting_up_a_saml_application_in_okta).
:::

## Configure Okta to Recognize a New Orchestrator Instance

:::note
The following steps are valid for Okta SAML setup. Please note that the following procedure is a broad description of a **sample configuration**. For a fully detailed how-to, visit the official [Okta documentation](https://developer.okta.com/standards/SAML/setting_up_a_saml_application_in_okta).
:::

1. Log in to Okta. The following setup is made in **Classic UI** view. You can change it from the drop-down on the top-right corner of the window.

   Figure 1. Classic interface

   !['Classic UI' image](https://dev-assets.cms.uipath.com/assets/images/orchestrator/orchestrator-classic-ui-image-231084-6dbfde6e.webp)

2. On the **Application** tab, select **Create New App**. The **Create a New Application Integration** window is displayed.
3. Choose **SAML 2.0** as sign-on method and select **Create**.

   Figure 2. Create new application integration window

   !['Create new application integration window' image](https://dev-assets.cms.uipath.com/assets/images/orchestrator/orchestrator-create-new-application-integration-window-image-226875-3f8c3c5d.webp)

4. For the new integration, on the **General Settings** window, enter the application name.
5. On the **SAML Settings** window, fill in the **General** section as per this example:
   * **Single sign on URL**: The Orchestrator instance URL + `/identity/Saml2/Acs`. For example, `https://orchestratorURL/identity/Saml2/Acs`.
   * Enable the **Use this for Recipient URL and Destination URL** check box.
   * **Audience URI**: `https://orchestratorURL/identity`
   * **Name ID Format**: **EmailAddress**
   * **Application Username**: **Email**
     :::note
     Whenever filling in the URL of the Orchestrator instance, make sure it does not contain a trailing slash. Always fill it in as `https://orchestratorURL/identity`, not `https://orchestratorURL/identity/`.
     :::
6. Select **Show Advanced Settings** and fill in the **Attribute Statements** section:
   * Set the **Name** field to `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` and select **user.email** from the **Value** drop-down.

     Figure 3. Attribute statements (optional) section

     !['Attribute statements (optional) section' image](https://dev-assets.cms.uipath.com/assets/images/orchestrator/orchestrator-attribute-statements-optional-section-image-233119-0b53f796.webp)

7. Download the Okta certificate.
8. In the **Feedback** section, select the option that suits you and select **Finish**.
9. On the **Sign On** tab, in the **Settings** section, select **Setup Instructions**. You are redirected to a new page containing the instructions required to complete your Orchestrator configuration for SAML 2.0: **Identity Provider Sign-On URL**, **Identity Provider Issuer**, **X.509 Certificate**.
   :::note
   If, for any reason, the information about the identity provider is lost, you can, at any point, visit **Sign On** &gt; **Settings** &gt; **View Setup Instructions**.
   :::

## Assigning People to the Application

In order for a user to be able to use OKTA authentication, he must be assigned the newly created application:

1. Log in to OKTA.
2. On the **Application** page, select the newly created application.
3. On the **Assignments** tab, select **Assign &gt; Assign to People** and then select the users to be given the necessary permissions.

   Figure 4. Assign Orchestrator25 to people window

   !['Assign Orchestrator25 to people window' image](https://dev-assets.cms.uipath.com/assets/images/orchestrator/orchestrator-assign-orchestrator25-to-people-window-image-229694-f61e961d.webp)

4. The newly added users are displayed on the **People** tab.

## Set Orchestrator/Identity Server to Use Okta Authentication

1. Define a user in Orchestrator and have a valid email address set on the **Users** page.
2. Import the signing certificate:
   * For Windows deployments, [import the signing certificate](https://docs.uipath.com/orchestrator/standalone/2024.10/user-guide/setting-orchestrator-to-use-a-private-key-certificate#private-key-certificates) provided by the Identity Provider to the Windows certificate store using Microsoft Management Console.
   * For Azure deployments, upload the certificate provided by the Identity Provider from in the Azure portal. (**TLS/SSL settings &gt; Public Certificates (.cer) &gt; Upload Public Key Certificate**). Refer to [Frequently Encountered Orchestrator Errors](https://docs.uipath.com/orchestrator/standalone/2024.10/user-guide/frequently-encountered-orchestrator-errors#frequently-encountered-orchestrator-errors) to adjust your web app configuration if you are unable to use OKTA authentication and encounter the following error message: `An error occurred while loading the external identity provider. Please check the external identity provider configuration.`
3. Log in to the [Management portal](https://docs.uipath.com/orchestrator/standalone/2024.10/user-guide/about-the-host-level#host-management-portal) as a system administrator.
4. Go to **Security**.
5. Select **Configure** under **SAML SSO**:

   The **SAML SSO configuration** page opens.

6. Set it up as follows:
   * Optionally select the **Force automatic login using this provider** checkbox if, after the integration is enabled, you want your users to only sign in through the SAML integration.
   * Set the **Service Provider Entity ID** parameter to `https://orchestratorURL/identity`.
   * Set the **Identity Provider Entity ID** parameter to the value obtained by configuring Okta authentication (refer to [step 9](https://docs.uipath.com/orchestrator/standalone/2024.10/user-guide/okta-authentication#configure-okta-to-recognize-a-new-orchestrator-instance)).
   * Set the **Single Sign-On Service URL** parameter to the value obtained by configuring Okta authentication (refer to [step 9](https://docs.uipath.com/orchestrator/standalone/2024.10/user-guide/okta-authentication#configure-okta-to-recognize-a-new-orchestrator-instance)).
   * Select the **Allow unsolicited authentication response** checkbox.
   * Set the **Return URL** parameter to `https://orchestratorURL/identity/externalidentity/saml2redirectcallback`. Make sure to add `/identity/externalidentity/saml2redirectcallback` at the end of the URL for the **Return URL** parameter. This path is **specific to Okta** as it allows you to reach an Orchestrator environment directly from Okta.
   * Set the **SAML binding type** parameter to `HTTP redirect`.
   * In the **Signing Certificate** section, from the **Store name** list, select **My**.
   * From the **Store location** list, select `LocalMachine` for Windows deployments or `CurrentUser` for Azure Web App deployments.
   * In the **Thumbprint** field, add the thumbprint value provided in the Windows certificate store. [Details](https://docs.uipath.com/orchestrator/standalone/2024.10/user-guide/setting-orchestrator-to-use-a-private-key-certificate#private-key-certificates).
     :::note
     Replace all occurrences of `https://orchestratorURL` with the URL of your Orchestrator instance. Make sure that the URL of the Orchestrator instance does not contain a trailing slash. Always fill it in as `https://orchestratorURL/identity`, not `https://orchestratorURL/identity/`.
     :::
7. Select **Save** to save the changes to the external identity provider settings.

   The page closes and you return to the **Security Settings** page.

8. Select the toggle to the left of **SAML SSO** to enable the integration.
9. Restart the IIS server.