Set up SSO integration with Okta

---

Single Sign-On (SSO) allows users to access the Infobip web interface using credentials managed by an external Identity Provider (IdP). This tutorial explains how to configure and test SSO integration between Infobip and Okta using the SAML 2.0 protocol.

After completing this tutorial, users in your organization can log in to the Infobip web interface through Okta without needing separate Infobip credentials.

---

Prerequisites

• An Infobip account. If you do not have an account, sign up (opens in a new tab) for an account.
• Account admin role on the Infobip web interface to configure SSO settings.
• A trial or paid Okta account with Admin privileges to access the Okta Admin Console.
• Ability to create and manage applications and test users in Okta.

---

Process overview

1. Configure SSO on the Infobip web interface.
2. Create and configure a SAML 2.0 application in Okta.
3. Retrieve SAML setup information from Okta and add it to Infobip.
4. Assign users to the Okta application.
5. (Optional) Enable auto-create users and groups.

---

Implementation steps

Configure SSO on the Infobip web interface

1. Log in to the Infobip web interface (opens in a new tab).
2. Go to Account settings → Security → Single Sign-On (SSO).
3. Select Configure to open the SSO setup page.
4. Enter a meaningful SP Entity ID (also called your custom domain). This automatically generates the SP Assertion Consumer Service (ACS) URL.
5. Note the SP Initiation URL. Users use this URL to initiate SSO login.

Create and configure the Okta application

1. Log in to the Okta Admin Console.
2. Go to Applications → Create App Integration.
3. Select SAML 2.0 as the sign-in method and proceed.
4. Fill in the following fields in Okta using data from the Infobip web interface:
   • Single sign on URL: In the Infobip web interface, fill in your custom domain for SP Initiation URL, then copy the SP Assertion Consumer Service URL from there and paste it into this field in Okta. Example: https://portal.infobip.com/login/saml/mycustomdomain/callback. This is the URL you need to use to actually log in with this SSO.
   • Audience URI (SP Entity ID): Copy the SP Entity ID from the Infobip web interface and paste it into this field in Okta. Example: https://portal.infobip.com/login/saml/mycustomdomain
5. Enable Use this for Recipient and Destination URL for the Single sign on URL.
6. Save the application.

Retrieve Okta SAML setup information

1. In the Okta Admin Console, open your created application.
2. Go to the Sign On tab.
3. Scroll down and select View SAML setup instructions.
4. Copy the following values from the Okta SAML instructions page into the corresponding fields in the Infobip SSO configuration:
   • IdP Login URL: Copy the Identity Provider Single Sign-On URL from Okta and paste it into the IdP Login URL field in the Infobip web interface SSO setup.
   • Identity Provider Issuer: Copy the Identity Provider Issuer from Okta and paste it into the Identity Provider Issuer field in the Infobip web interface SSO setup.
   • IdP Signature Certificate: Copy the X.509 Certificate from Okta (or download and open with a text editor) and paste it into the IdP Signature Certificate field in the Infobip SSO setup.

Assign users to the Okta application

1. In the Okta Admin Console, go to Applications.
2. Select your SAML application.
3. Go to the Assignments tab and select Assign.
4. Choose Assign to People or Assign to Groups.
5. Assign the users or groups who should have access to Infobip through SSO.

Optional: Enable auto-create users and groups

To allow automatic user and group creation in Infobip upon SSO login, configure the following settings.

Auto-create users

In the Infobip SSO configuration, enable Auto-create users. When enabled, Infobip automatically creates a user account upon the first successful SSO login.

Auto-create groups

1. In the Infobip SSO configuration, enable Auto-create groups. When enabled, Infobip synchronizes user groups from Okta on each login.
2. In the Okta SAML application, configure the following Group Attribute Statement:
   • Name: http://schemas.xmlsoap.org/claims/Group
   • Name format: Basic
   • Filter: Matches regex (configure as needed)

---

Additional configuration and security

• Regularly rotate certificates and secrets: Update certificates and secrets on both Okta and Infobip periodically to maintain security.
• Monitor audit logs: Track SSO login activities in Infobip audit logs to identify unauthorized access attempts or configuration issues.

---

Testing

To verify the SSO integration:

1. Open the SP Initiation URL (for example, https://portal.infobip.com/login/saml/mycustomdomain) in a browser. Alternatively, go to the Infobip login page and select Login with SSO.
2. You are redirected to Okta for authentication.
3. Log in with an Okta user account that is assigned to the application.
4. After successful authentication, Okta sends a SAML response to Infobip.
5. Infobip processes the response and grants access to the web interface.

---

Troubleshooting

• Verify that the SP Entity ID and Audience URI match exactly on both the Infobip and Okta sides.
• Ensure the Single sign on URL in Okta matches the SP Assertion Consumer Service URL from Infobip.
• Confirm that the NameID format is set to EmailAddress in the Okta application.
• Check that users are assigned to the Okta application.
• Remove all new lines from the X.509 certificate before saving it in Infobip.
• Use the SP Initiation URL to test the login flow.
• Review SAML response attributes if login fails.
• Infobip supports only the SP-initiated SAML flow.

---

Additional resources

• Configure Single Sign-On (SSO) in account settings
• Account access and login options
• Security recommendations