Connect to Okta in the PE console

Configure your Okta integration settings in the Puppet Enterprise (PE) console.

Before you begin:
You need the URLs and certificate from the How to Configure SAML 2.0 for Puppet Enterprise Application page (which appears after you Configure the Okta application). You also need to know the values of the Signature Algorithm and Authentication context class settings in Okta.

For more information about PE's SAML configuration fields and their corresponding IdP and RBAC API mappings, refer to the SAML configuration reference and Okta's documentation.

  1. In the console, on the Access control page, click the SSO tab.
  2. Click Configure.
  3. Input a Display Name. This name is visible on the PE home page.
  4. Complete the Identity provider information fields:
    • Identity provider entity ID: Input the Identity Provider Issuer URL from Okta.
    • Identity provider SSO URL: Input the Identity Provider Single Sign-On URL from Okta.
    • Identity provider SLO URL: Input the Identity Provider Single Logout URL from Okta.
    • Identity provider SSO response URL: Optional and can be blank.
    • Identity provider certificate: Paste the entire X.509 Certificate from Okta, including the begin and end tags.
  5. Configure the Service provider configuration options as follows:
    • Name ID encrypted?: Yes
    • Sign authentication requests?: Yes
    • Sign logout response?: Yes
    • Sign logout requests?: Yes
    • Require signed messages?: Yes
    • Require signed assertions?: Yes
    • Sign metadata?: Yes
    • Require encrypted assertions?: No (leave unselected)
    • Require name ID encryption?: No (leave unselected)
    • Requested authentication context: Input the value of the Authentication context class from Okta in the following format:
      urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
    • Requested authentication context comparison: Select minimum
    • Allow duplicated attribute name: No (leave unselected)
    • Validate xml?: No (leave unselected)
    • Signature algorithm: Must match the Signature Algorithm setting you chose in Okta, such as rsa-sha256
  6. Input Organization and Contacts information.
  7. The values in the Attribute binding fields must exactly match the corresponding fields in Okta.

    These settings define attributes and map them to user information in Okta, then PE uses these settings to understand user information received from Okta.

    Your Okta Administrator can provide these details, or you can retrieve them from Okta. Navigate to Applications > SAML General > Advanced settings > Attribute Statements, and then use the values from the Name fields in Okta to populate the Attribute binding fields in PE.

  8. Commit your changes.
What to do next Configure RBAC for an Okta integration