<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z00009zQcEICA0Okta Classic EngineAdministrationAnswered2024-02-16T16:37:30.000Z2024-02-15T20:18:51.000Z2024-02-16T16:37:01.000Z

GregK.54397 (Customer) asked a question.

February 15, 2024 at 8:18 PM
Minimum Admin Role needed to Configure Identity Providers

to use Okta for IdP-initiated SSO into our software. We have a team of individuals who have historically managed our non-Okta SSO integrations that will be managing our Okta SSO integrations moving forward. These users will need to be able to Create and Configure Identity Providers in the Okta Admin Console.

 

My question is what is the minimum Admin Role that can Create and Configure Identity Provider?

Org Admins can, but Org Admins have a lot more permissions than I'd prefer this team have.

 

The documentation for Standard Admin Roles (https://help.okta.com/en-us/content/topics/security/administrators-admin-comparison.htm) doesn't seem to refer to IdP permissions. 

 

This documentation (https://help.okta.com/en-us/content/topics/security/custom-admin-role/about-role-permissions.htm*Identity_and_access_management_permissions) refers to Identity Provider Permissions, but doesn't say which standard roles have these permissions.

 

The Custom Admin Role UI doesn't include any IdP Permission options that I can find.

 

My best guess is that these users will need to be at least Org Admins to perform these tasks.

It this correct?

  • 2 answers
  • 516 views

  • DonF.81354 (Customer)

    Hi! My expectation, based on the documents we have linked, is that yes, org admin is the minimum required. For the following:

     

    Add a social IDP (the closet example) - org admin required

    Category of "Org Security" - org admin required

     

    In worst case scenario, application management requires superadmin level permissions or app admin, but that is on a per-application level basis. As there is no clear reference to IdP configuration, I would state that org admin is the least privilege level of access required. However, I invite others to comment as they may have better, more current info. Thanks!

    Expand Post

  • paul.stiniguta1.508386743840768E12 (Okta, Inc.)

    Hello @GregK.54397 (Customer)​ Thank you for reacting out to our Community!

     

    At this time, Org administrator is the only pre-defined admin level that allows you to create IDP's. However there is an EA Feature that you can enable "Enable Custom Admin Roles for Identity Providers" which allows you to setup admin role to create only IDP. You can enable this feature from the Admin Dashboard -> Settings -> Features.

    Please note that the custom role does not allow the admin assigned to create Routing Rule and in order to enable editing of the IDP you also need to give permissions to Applications.

     Please also see our custom Admin doc:

    https://help.okta.com/en-us/content/topics/security/custom-admin-role/about-creating-custom-admin-roles.htm

     

    Community members help others by clicking Like or Select as Best on responses. Try it today.

     

    Earn Today: New Okta Community Badges Have Arrived

     

    Ask the experts about Okta Privileged Access

    Expand Post
This question is closed.
Loading
Minimum Admin Role needed to Configure Identity Providers