This article provides step-by-step instructions for setting up Security Assertion Markup Language (SAML) app integrations between two Okta orgs.

• SAML app integrations between two Okta orgs
• Service Provider (SP)
• Identity Provider (IdP)

To enable single sign-on (SSO) functionality, SAML app integrations between two Okta orgs need to be set up.

1. Set up External IdP in SP Org

To set up an External IdP in the SP org, follow these steps:

1. Go to Security > Identity Providers > Add Identity Provider > Add SAML 2.0 IdP.

2. Enter a name for the IdP and set "IdP Username" to be idpuser.subjectNameid.

3. Select Create New User (JIT) to create IdP's user profile in the SP org after successful authentication.

4. Use an IdP Signature Certificate example to ensure the external IdP has been created successfully.

   •  okta-certificate-example.crt

5. Save the settings for now. Get the Assertion Consumer Service URL and Audience URI, which will be used in the next step.

2. Set up an SP App in the IdP Org

1. Go to Applications > Add Application > Create New App > Select SAML 2.0 > and Create.
2. Set the app name, and click Next.

3. Set the Assertion Consumer Service URL from the SP org's external IdP as the Single Sign-On URL, and check the box Use this for Recipient URL and Destination URL.

4. Set the Audience URI from the SP org's external IdP to the Audience URI in the app. Keep the rest of the settings as such.

5. Scroll down to ATTRIBUTE STATEMENTS (OPTIONAL) and set the following attributes to be passed in the SAML response.

6. If using the Dynamic ACS URL feature, which uses signed SAML Request, check Validate SAML requests with signature certificates. The certificate update will occur later.

7. Keep the default settings and click Finish. Make sure to assign the app to a certain user.

8. Under Sign On, in the bottom right corner, see View SAML Setup Instructions. Single Sign-On using SAML will not work until an app is configured to trust Okta as an IdP.

9. From the SAML Instruction, two values are needed to update the IdP in the SP org in the first step: Identity Provider Single Sign-On URL and Identity Provider Issuer.

3. Finish Setting up External IdP in SP Org

To complete the setup of the external IdP in the SP org, follow these steps:

1. Go to Security > Identity Providers > Configure Identity Provider created earlier.

2. Copy the values of Identity Provider Single Sign-On URL and Identity Provider Issuer, and paste them to SAML Protocol Settings: IdP Issuer URI and IdP Single Sign-On URL.

4. Set up Certificate

To set up the certificate, follow these steps:

1. Download the certificate from the IdP org, and convert the .crt file to .pem file using the following command: 

   openssl x509 -in example.cert -out example.pem -outform PEM.

2. Upload the .pem file to the SP org: SAML Protocol Settings.

3. Download the certificate from the SP org and convert the .crt file to .pem file using the following command: 

   openssl x509 -in example.cert -out example.pem -outform PEM
   

4. Upload the .pem file to the IdP org SAML Config > settings > under the Show Advanced link.