Synap Home

SAML with Okta (EU)

Guide to Configuring SSO Using SAML and Okta for clients on Synap's EU infrastructure

Select SAML from the Authentication method drop down when setting up a new configuration for SSO

If you are an Synap Enterprise client on US Infrastructure please see our US specific docs . If you are unsure please get in touch with support

You will need to go to the SP Metadata URL to get a crt file that Okta needs this is stored at https://api.synap.ac/external-auth/saml/meta.xml , it will require some formatting but its a public certificate that is the same for everyone, a pre formatted version is below.

If you haven't already, create an Okta account (https://www.okta.com). From your Okta account and Applications, create a new app integration, select SAML 2.0

Continue to configure to the SAML, select show advanced options settings and plug in the following information:

  • Single sign-on URL = https://api.synap.ac/external-auth/saml/authenticate

    • Use for Recipient URL and Destination URL

  • Recipient URL = https://api.synap.ac/external-auth/saml/authenticate

  • Destination URL = https://api.synap.ac/external-auth/saml/authenticate

  • Audience URI (SP Entity ID) = https://api.synap.ac/

  • Assertion Encryption = Encrypted

  • Encryption Certificate = (attached crt file)

  • Attribute statements: (name โ‡’ value)

    • first_name โ‡’ user.firstName (unspecified)

    • last_name โ‡’ user.lastName (unspecified)

    • email โ‡’ user.email (unspecified)

Once done click next, we recommend โ€˜Iโ€™m a software vendorโ€™ to avoid some onboarding materials, however it's up to you, once done click finished.

You will now need to put some information back into Synap. Go back to Synap and fill in the following

From the Sign On tab

  • Metadata URL โ‡’ IdP Metadata URL*

Expand for more details

  • Sign on URL โ‡’ IdP SSO Login URL*

Save on Synap once youโ€™re happy, and enable your new configuration

To test youโ€™ll need to make a user in Okta, go back to Okta >Directory>People> add person. Use a name, email for a test user, setting a password makes it easier if it is not a real user. Once done save (you may need to refresh for them to appear on the list).

Note, you don't need to use a real email to test!

Add this user to the right application on Okta (optional turn off 2fa)

Now the user login is ready to test the login on Synap, go back to your portal either logged out as an admin or on an incognito window.

From the login page you'll see the option to 'Login with SSO' this text can be modified in the SSO settings and the Login standard way button can be removed by disabling local login on Settings>Authentication, this will mean users have to login via SSO. Once clicked the user will be temporarily redirected to the Okta login page, once they've logged in they will also be logged into Synap. The password used on Okta is may be different to the password they have on Synap

PreviousJSON Web Tokens (JWT)NextSAML with Okta (US)

Last updated