How do I use the Okta IdP metadata to set up SAML on the Service Provider side? Skip to main content
https://support.okta.com/help/answers?id=906f0000000i0vziak&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Daniel SieversDaniel Sievers 

How do I use the Okta IdP metadata to set up SAML on the Service Provider side?

Hi there,

I am currently trying to make a custom Java application SAML enabled. I have set up the application as a SAML app in the Okta admin application. The directions in "How to Configure SAML 2.0" then provide the IdP Single Sign-On URL, IdP Issuer, and the X.509 certificate.

How would I use this information in order to make my Service Provider (custom Java app) SAML enabled? Which would then allow it to communicate with Okta via the Okta SAML Toolkit.

Thanks for the help in advance!
James FloresJames Flores (Okta, Inc.)
Hi Daniel, 

I am not sure if you are using the Spring Framwork but this guide walks you through setting up a JAVA app to work with Okta via the Spring Framework.

http://developer.okta.com/docs/guides/spring_security_saml
Daniel SieversDaniel Sievers
Hi James,

I am not using the Spring Framework for this application. Are the steps the same as far as Service Provider metadata goes? Ideally I can just utilize the Okta SAML Toolkit to communicate with Okta, but I need the proper SP metadata to pull from.

The main issue at hand is that I do not know how to use the information provided by Okta in order to formulate the SP metadata that I can then include in the custom Java app.

Thanks for the prompt reply!
Gabriel SrokaGabriel Sroka (Okta, Inc.)
Hi Daniel,
Are you using the example webapp? In the Okta SAML Toolkit, check out:
Okta-SAMLToolkit/examples/webapp/doc/README.html

Thanks,

Gabriel Sroka
Daniel SieversDaniel Sievers
Hi Gabriel,

I have read the README and looked at the exampels provided. However, in the Okta-SAMLToolkit/examples/webapp/src/main/resources/valid-config.xml it says that you can replace the commented out portion with valid "Template SAML 2.0 Metadata". 

I have replaced the commented section of this file with the metadata provided by Okta for my custom application. However, when I run my program, an error is thrown as soon as the SamlValidator tries to configure using the .xml file I created. Any advice on where to start looking?

Thank you so much.
Gabriel SrokaGabriel Sroka (Okta, Inc.)
Hi Daniel,
Can you verify it's valid XML? Do you have an XML editor or validator? Can you paste a copy here?

Thanks,

Gabriel Sroka
Daniel SieversDaniel Sievers
I validated that it was syntactically correct. The current XML that I am using is the following (I have replaced my actual company name with mycompany):

<?xml version="1.0" encoding="UTF-8"?>

<configuration>


<applications>


<application>


<md:EntityDescriptor entityID="http://www.okta.com/exk6o98iwmuUMtJDq0h7" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">


<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" WantAuthnRequestsSigned="false">


<md:KeyDescriptor use="signing">


<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">


<ds:X509Data>

<ds:X509Certificate> *copied from Okta admin backend* </ds:X509Certificate>

</ds:X509Data>

</ds:KeyInfo>

</md:KeyDescriptor>

<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>

<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>

<md:SingleSignOnService Location="https://mycompany.oktapreview.com/app/mycompany_interfacesdjsminlocal_1/exk6o98iwmuUMtJDq0h7/sso/saml" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>

<md:SingleSignOnService Location="https://mycompany.oktapreview.com/app/mycompany_interfacesdjsminlocal_1/exk6o98iwmuUMtJDq0h7/sso/saml" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>

</md:IDPSSODescriptor>

</md:EntityDescriptor>

</application>

</applications>

</configuration>
Gabriel SrokaGabriel Sroka (Okta, Inc.)
Hi Daniel,

The out-of-the-box valid-config.xml has a <default> element:
<default>http://www.okta.com/k1nrrxspKOQEZEDLPRXR</default>

but your XML file doesn't.
 
Can you give it a try (using your entity ID URL)?
 
Thanks,

Gabriel Sroka
Gabriel SrokaGabriel Sroka (Okta, Inc.)
Hi Daniel
Check out our updated Okta SAML guide:
http://developer.okta.com/docs/guides/spring_security_saml.html