Configure SAML 2.0 single sign-on between TrueFoundry and Okta.
This guide walks you through setting up SAML 2.0 single sign-on between TrueFoundry and Okta. Once finished, members of your Okta tenant can sign in to TrueFoundry through a Login with Okta button.
Sign in to your Okta admin console (https://<your-tenant>-admin.okta.com) as an administrator.In the left navigation, expand Applications → Applications and click Create App Integration.
2
Pick SAML 2.0
In the Create a new app integration dialog, select SAML 2.0 and click Next.
3
Name the application
On the General Settings step, give the application a name such as TrueFoundry. Optionally upload an app logo.Click Next to move on to the Configure SAML step.
On the Configure SAML step of the application you created in Step 2, fill in the SAML Settings card using the values from Step 1.
1
Configure SAML settings
On the Configure SAML step, fill in the SAML Settings section using the values from Step 1:
Okta field
Value from TrueFoundry
Single sign-on URL
Single Sign On URL
Audience URI (SP Entity ID)
Audience URI (SP Entity ID)
Default RelayState
Relay URL
Leave Use this for Recipient URL and Destination URL checked.Set Name ID format to EmailAddress and leave Application username at the default of Okta username.Click Next.
2
Submit the feedback page
Okta requires a short feedback prompt. Select I’m an Okta customer adding an internal app, then scroll down and click Finish.
3
Add attribute statements
After the wizard completes, open your application and click the Sign On tab. Scroll to the Attribute statements section and click Add expression for each row below:
Okta drops you on the application detail page once the wizard completes.
1
Open View SAML setup instructions
On the application page, click the Sign On tab. In the right sidebar under SAML Setup, click View SAML setup instructions.
2
Copy the IdP URL and certificate
In the setup instructions panel, copy the values shown:
Identity Provider Single Sign-On URL — you’ll paste this into TrueFoundry as the Identity Provider Endpoint.
X.509 Certificate — copy the full certificate from the text box, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines. You can also use Download certificate and open the file in a text editor.
3
Paste into TrueFoundry
Return to Settings → Security & Access → SSO in TrueFoundry and edit the SSO configuration you created in Step 1. Set:
Identity Provider Endpoint → Identity Provider Single Sign-On URL from Okta.
X.509 Certificate → the certificate you copied from the setup instructions.
Okta only lets users sign in to applications they’ve been explicitly assigned to.
1
Open Assignments
Inside your Okta application, click the Assignments tab and open the Assign dropdown.
2
Pick people or groups
Choose Assign to People or Assign to Groups, select the users or groups that should have TrueFoundry access, and click Assign for each. When you’re done, click Done.
Prefer assigning groups when you can — it pairs well with SCIM with Okta for automated user lifecycle management.
Users who are not assigned to the Okta application will see an “app not assigned” error when they click Login with Okta in TrueFoundry.
Open a private/incognito window and go to your TrueFoundry login page.
Click Login with Okta (or whichever label you set under Show advanced fields → Button Text).
Authenticate with an Okta user you assigned to the application.
If the sign-in succeeds you’ll land in the TrueFoundry dashboard. The user is created automatically if JIT provisioning is on, otherwise they must already exist in TrueFoundry or be invited.
'App is not assigned to this user' when clicking the login button
The Okta user isn’t assigned to your application. Go back to Step 5 and assign them under Assignments.
'Invalid Signature' or 'Could not validate SAML response'
The certificate copied into TrueFoundry doesn’t match Okta’s active signing certificate. Open Sign On → SAML Setup → View SAML setup instructions, copy the X.509 Certificate again (or use Download certificate), and paste the full PEM (including the BEGIN/END lines) into TrueFoundry.
The Login button works but the user gets 'no matching user found'
Check the provisioning mode under Settings → Security & Access → Provisioning:
Invite-only — the user must be invited from Access → Users first.
JIT — the user is created on first login automatically.
SCIM — the user must be synced from your IdP first. See SCIM with Okta.
Users sign in but email or unique ID is empty
Confirm Name ID format is set to EmailAddress and that Attribute statements on the Sign On tab includes email → user.profile.email and sub → user.id as described in Step 3. If you renamed attributes, expand Show advanced fields in TrueFoundry and set:
Email Claim → the attribute name you used for email (defaults to email).
Unique ID Claim → defaults to sub; on Okta the Name ID is typically the unique identifier, so you can usually leave this at the default.
'Audience Restriction' / 'Audience URI mismatch' errors
The Audience URI (SP Entity ID) in Okta doesn’t match TrueFoundry’s Audience URI (SP Entity ID). Re-copy the value from the TrueFoundry SSO configuration card and paste it verbatim into Okta (no trailing slashes, no extra whitespace).