# SAML with Okta (EU) Select SAML from the Authentication method drop down when setting up a new configuration for SSO {% hint style="info" %} If you are an Synap Enterprise client on US Infrastructure please see our [US specific docs](https://academy.synap.ac/doc/portal-settings/portal-settings/sso-authentication/saml-with-okta-us) . If you are unsure please get in touch with support {% endhint %}

You will need to go to the SP Metadata URL to get a crt file that Okta or other SSO providers need this is stored at [ https://api.synap.ac/external-auth/saml/certificate.crt](https://api.synap.ac/external-auth/saml/certificate.crt) and is a public certificate that is the same for everyone. If you are using Okta and haven't already, create an account ([https://www.okta.com](https://www.okta.com/uk/)). From your SSO provider account and Applications, create a new app integration, select SAML 2.0

Continue to configure to the SAML, select show advanced options settings and plug in the following information: * Single sign-on URL = `https://api.synap.ac/external-auth/saml/authenticate` * Use for Recipient URL and Destination URL * Recipient URL = `https://api.synap.ac/external-auth/saml/authenticate` * Destination URL = `https://api.synap.ac/external-auth/saml/authenticate` * Audience URI (SP Entity ID) = `https://api.synap.ac/` * Assertion Encryption = Encrypted * Encryption Certificate = (attached crt file) * Attribute statements: (name ⇒ value) * first\_name ⇒ user.firstName (unspecified) * last\_name ⇒ user.lastName (unspecified) * email ⇒ user.email (unspecified) Once done click next, we recommend ‘I’m a software vendor’ to avoid some onboarding materials, however it's up to you, once done click finished.

You will now need to put some information back into Synap. Go back to Synap and fill in the following From the Sign On tab * Metadata URL ⇒ **IdP Metadata URL**\* Expand for more details * Sign on URL ⇒ **IdP SSO Login URL**\* Save on Synap once you’re happy, and enable your new configuration

To test you’ll need to make a user in Okta, go back to Okta >Directory>People> add person. Use a name, email for a test user, setting a password makes it easier if it is not a real user. Once done save (you may need to refresh for them to appear on the list). {% hint style="info" %} Note, you don't need to use a real email to test! {% endhint %}

Add this user to the right application on Okta (optional turn off 2fa)

Now the user login is ready to test the login on Synap, go back to your portal either logged out as an admin or on an incognito window.

From the login page you'll see the option to 'Login with SSO' this text can be modified in the SSO settings and the Login standard way button can be removed by disabling local login on Settings>Authentication, this will mean users have to login via SSO. Once clicked the user will be temporarily redirected to the Okta login page, once they've logged in they will also be logged into Synap. The password used on Okta is may be different to the password they have on Synap

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://academy.synap.ac/doc/portal-settings/portal-settings/sso-authentication/saml-with-okta-eu.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.