Skip to main content

Privacera Platform

Portal SSO with Okta using SAML

Okta is a third-party identity provider, offering single sign-on (SSO) authentication and identity validation services for a large number of Software-as-a-Service providers. PrivaceraCloud works with Okta's SAML (Security Assertion Markup Language) interface to provide an SSO/Okta login authentication to the Privacera portal. For more information, see CLI configuration.

Integration with Okta begins with configuration steps in the Okta administrator console. These steps also generate a Privacera portal account-specific identity_provider_metadata.xml file and an Identity Provider URL that are used in the Privacera CLI configuration steps.


To configure SSO with Okta , you need to configure and enable SSL for the Privacera Portal. See Enable CA Signed Certificates or Enable Self Signed Certificates.


To use Okta SSO with Privacera portal, you must have already established an Okta SSO service account. The following procedures require Okta SSO administrative login credentials.

Generate an Okta Identity Provider Metadata File and URL
  1. Log in to your Okta account as the Okta SSO account administrator.

  2. Select Applications from the left navigation panel, then click Applications subcategory.

  3. From the Applications page, click Create App Integration.


    In addition to creating new applications you can also edit existing apps with new configuration values.

  4. Select SAML 2.0, then click Next.

  5. In General Settings, provide a short descriptive app name in the App name text box. For example, enter Privacera Portal SAML.

  6. Click Next.

  7. In the SAML Settings configuration page, enter the values as shown in the following table:



    Single sign on URL


    Audience URI (SP Entity ID)


    Default RelayState

    The value identifies a specific application resource in an IDP initiated SSO scenario. In most cases this field will be left blank.

    Name ID format


    Application username

    Okta username









    If user’s login id is is not the same as the username, for example if user login id is email, this attribute will be considered as username in the portal. The username value would be email with the domain name ( removed. For example "", the username would be "john.joe". If there is another attribute which can be used as the username then this value will hold that attribute.

  8. Click Next.

  9. Select the Feedback tab and click I'm an Okta customer adding an internal app.

  10. Click Finish.

  11. From the General tab, scroll down to the App Embed Link section. Copy the Embed Link (Identity Provider URL) for PrivaceraCloud.

IdP provider metadata

In this topic, you will learn how to generate and save IdP provider metadata in XML format.

  1. Go to Sign On tab.

    > Settings, select the Identity Provider Metadata link located at the bottom of the Sign on methods area. The configuration file will open in a separate window.

  2. In the SAML Signing Certificates section, click the Generate new certificate button.

  3. In the list, click the Actions dropdown and select View IdP metadata.

    The XML file will be opened in a new tab.


    Make sure that the certificate you are downloading has an active status.

  4. Save the file in XML format.

Idp initiated SSO
  1. From Applications, login to the Okta Home Page Dashboard as a user by selecting the Okta Dashboard icon.

  2. Login to the Privacera Portal by selecting the newly added app icon.

CLI configuration
  1. SSH to the instance where Privacera is installed.

  2. Run the following command:

    cd ~/privacera/privacera-manager/
    cp config/sample-vars/vars.portal.saml.aad.yml config/custom-vars/
  3. Edit the vars.portal.saml.aad.yml file.

    vi config/custom-vars/vars.portal.saml.aad.yml

    Modify the SAML_ENTITY_ID. You need to assign the value of the Entity ID achieved in the above section. For property details and description, refer to the Configuration Properties below.

    SAML_ENTITY_ID: "privacera-portal"
    SAML_BASE_URL: "https://{{app_hostname}}:6868"
    PORTAL_UI_SSO_URL: "saml/login"
    AAD_SSO_ENABLE: "true"
  4. Rename the downloaded Federation Metadata XML file as privacera-portal-aad-saml.xml. Copy this file to the ~/privacera/privacera-manager/ansible/privacera-docker/roles/templates/custom folder.

  5. Run the following command:

    cd ~/privacera/privacera-manager/
    ./ update
  6. If you are configuring the SSL in an Azure Kubernetes environment, then run the following command.

     ./ restart portal
Configuration properties





Enabled by default.


Get the value from the Prerequisites section.





Azure AD Login




Enabled by default. The global logout for SAML is enabled. Once a logout is initiated, all the sessions you've accessed from the browser would be terminated from the Identity Provider (IDP).


Browse and select the Federation Metadata XML, which you downloaded in the Prerequisites section.


Go to the login page of the Privacera Portal. You will see the Okta Login button.

Configure SAML assertion attributes

By default, the following assertion attributes are configured with pre-defined values:

  • Email

  • Username

  • Firstname

  • Lastname

You can customize the values for the assertion attributes. To do that, do the following:

  1. Run the following commands.

    cd ~/privacera/privacera-manager/
    cp config/sample-vars/vars.portal.yml config/custom-vars/
    vi config/custom-vars/vars.portal.yml
  2. Add the following properties and assign your values. For more information on custom properties and its values, click here.

  3. Add the properties in the YAML file configured in the Configuration above.

     cd ~/privacera/privacera-manager/
    ./ update