Okta (SAML2)

Create an Okta account and configure credentials

If you already have an Okta account, you can skip the first two steps and start directly with step 3.

1. For testing purposes you can create a Integrator Free plan at https://developer.okta.com/signup/

2. Follow the installation steps.

3. Login into your Okta account administration

4. Click at Applications -> Applications -> Create App Integration.

5. Choose SAML 2.0 as Sign-in method and click Next.

6. Enter an App name that can help you to identify the purpose of this integration and click Next.

7. Enter the Single sign-on URL and Audience URI (SP Entity ID) from your configured Okta service in Shopware. The URLs are named as Redirect URI and Manifest URI in the configured SSO entry in Shopware. You can find more information at Find the "Sign-in redirect url". If you haven't configured it yet you can follow our guide at Configure Okta in Shopware extension. Choose Email for the Application username and EmailAddress for the Name ID Format.

8. Configure the Attribute Statements with the following values.

9. Click Next to go ahead to Step 3. Then click Finish on the feedback tab.

10. At tab Sign On you can find a Metadata URL. Please call this url. Copy the string which is in the ds:X509Certificate section and insert it to your configured Okta SSO service in Shopware admin at the Crendetials tab variable idpCertificate. Also copy the SingleSignOnService Location URL and add it to the singleSignOnServiceUri and entityID URL and add it to the entityId variable in Shopware. You can see a screenshot of the Shopware configuration bellow in chapter Configure Okta in Shopware extension.

11. Configure which one of your organisation is allowed to sign it by adding People on the Assignments tab.

Configure Okta in Shopware extension

For detailed information follow the guide for managing the SSO providers. See screenshot to be aware of the required fields for Okta implementation.

You can find the required credentials (singleSignOnServiceUri, entityId, idpCertificate) in your created app integration of the Okta account.

Please enter your spCertificate and spKey. See How to generate spCertificate and spKey for more information.

If you use the SAML2 template, all required mapping fields are already pre-configured.

Add/ edit user in Okta directory

To enable your Okta directory users to sign in at Shopware storefront, you need to add them to your directory.

1. At Directory -> People you'll find a list of all your current directory users. With button Add person you can enrich the directory with more users. So first of all: Create all users you'll need for the Shopware storefront login by Okta.

2. Choose the app integration at Applications -> Applications which you have created in your Okta account.

3. Switch to tab Assignments. Here you can find all users, which are currently added for the app integration. By clicking Assign -> Assign to people you can add more users. By clicking the pencil at person list, you can edit a user.

How to generate spCertificate and spKey

The easiest way to generate the required Publiy Key (spCertificate) and Private Key (spKey) is to use OpenSSL on the shell of a Linux system. Just enter the following command

openssl req -newkey rsa:2048 -nodes -keyout sp.key -x509 -days 365 -out sp.crt

After finishing the command you get a sp.key (for the spKey) and a sp.crt (for the spCertificate) variable. Open the files and copy the content to the related Shopware configuration fields of your Okta service.