# Okta (SAML2)

### Create an Okta account and configure credentials

If you already have an Okta account, you can skip the first two steps and start directly with step 3.&#x20;

1. For testing purposes you can create a **Integrator Free plan** at <https://developer.okta.com/signup/>
2. Follow the installation steps.
3. Login into your Okta account administration
4. Click at **Applications -> Applications -> Create App Integration**.\
   ![](/files/arNAh3Ch3m9bZ6j6ZyIK)
5. Choose **SAML 2.0** as **Sign-in method** and click **Next**.\
   ![](/files/JJyPcAQy9mw39klZaFTD)
6. Enter an **App name** that can help you to identify the purpose of this integration  and click **Next**.\
   ![](/files/kk0SwmsPJfht3zkkqpGx)
7. Enter the **Single sign-on URL** and **Audience URI (SP Entity ID)** from your configured Okta service in Shopware. The URLs are named as **Redirect URI** and **Manifest URI** in the configured SSO entry in Shopware. You can find more information at [**Find the "Sign-in redirect url"**](/en/plugins/single-sign-on-sso/configuring-an-identity-provider/find-the-sign-in-redirect-url.md).\
   If you haven't configured it yet you can follow our guide at [Configure Okta in Shopware extension](#configure-okta-in-shopware-extension). Choose **Email** for the **Application username** and **EmailAddress** for the **Name ID Format**.
8. Configure the **Attribute Statements** with the following values.\
   ![](/files/FYVS0Q1jYS2J9NjQ8UdS)
9. Click **Next** to go ahead to Step 3. Then click **Finish** on the feedback tab.
10. At tab **Sign On** you can find a **Metadata URL**. Please call this url. Copy the string which is in the **ds:X509Certificate** section and insert it to your configured Okta SSO service in Shopware admin at the **Crendetials** tab variable **idpCertificate**. Also copy the **SingleSignOnService Location** URL and add it to the **singleSignOnServiceUri** and **entityID** URL and add it to the entityId variable in Shopware. You can see a screenshot of the Shopware configuration bellow in chapter **Configure Okta in Shopware extension**.
11. Configure which one of your organisation is allowed to sign it by adding People on the **Assignments** tab.\
    ![](/files/Qu1F1I5NLZiiWMx85p7s)<br>

### Configure Okta in Shopware extension

For detailed information follow the guide for managing the [SSO providers](/en/plugins/single-sign-on-sso/admin-dashboard/mapping.md).\
See screenshot to be aware of the required fields for Okta implementation.

<figure><img src="/files/eePbpkQrlNxu6923GFsN" alt=""><figcaption></figcaption></figure>

{% hint style="info" %}
Don't forget to use the **Check credentials** button after you've entered and saved all credentials. With this button you can check if your connection could be established with Okta.
{% endhint %}

You can find the required credentials (singleSignOnServiceUri, entityId, idpCertificate) in your created app integration of the Okta account.

Please enter your spCertificate and spKey. See [How to generate spCertificate and spKey](#how-to-generate-spcertificate-and-spkey) for more information.

If you use the SAML2 template, all required mapping fields are already pre-configured.

{% hint style="info" %}
If you are not sure, if every person will have all required fields filled please define default values in Shopware SSO mapping configuration.
{% endhint %}

### Add/ edit user in Okta directory

To enable your Okta directory users to sign in at Shopware storefront, you need to add them to your directory.

1. At Directory -> People you'll find a list of all your current directory users. With button **Add person** you can enrich the directory with more users. So first of all: Create all users you'll need for the Shopware storefront login by Okta.
2. Choose the app integration at **Applications -> Applications** which you have [created in your Okta account](#create-an-okta-account-and-configure-credentials).
3. Switch to tab **Assignments**. Here you can find all users, which are currently added for the app integration. By clicking **Assign -> Assign to people** you can add more users.\
   By clicking the pencil at person list, you can edit a user.\
   ![](/files/bH5kHedLc3ibBbWDSUxY)

{% hint style="info" %}
Depending on your Shopware configuration, required fields can differ. For example the **Phone number** could be a required field too.
{% endhint %}

### How to generate spCertificate and spKey

The easiest way to generate the required **Publiy Key (spCertificate)** and **Private Key (spKey)** is to use OpenSSL on the shell of a Linux system. Just enter the following command

```
openssl req -newkey rsa:2048 -nodes -keyout sp.key -x509 -days 365 -out sp.crt
```

After finishing the command you get a **sp.key (for the spKey)** and a **sp.crt (for the spCertificate)** variable. Open the files and copy the content to the related Shopware configuration fields of your Okta service.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.premsoft.de/en/plugins/single-sign-on-sso/configuring-an-identity-provider/okta-saml2.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.