# Set up SSO integration with Okta
___

[Single Sign-On (SSO)](https://www.infobip.com/docs/essentials/manage-my-account/account-access#log-in-with-single-sign-on-sso) allows users to access the Infobip web interface using credentials managed by an **external Identity Provider (IdP)**. This tutorial explains how to configure and test SSO integration between Infobip and Okta using the SAML 2.0 protocol.

After completing this tutorial, users in your organization can log in to the Infobip web interface through Okta without needing separate Infobip credentials.

___

## Prerequisites

- An Infobip account. If you do not have an account, [sign up](https://www.infobip.com/signup) for an account.
- [Account admin](https://www.infobip.com/docs/essentials/manage-my-account/manage-roles#general-roles-predefined-roles) role on the Infobip web interface to configure SSO settings.
- A trial or paid **Okta** account with **Admin** privileges to access the Okta Admin Console.
- Ability to create and manage applications and test users in Okta.

___

## Process overview

1. Configure SSO on the Infobip web interface.
2. Create and configure a SAML 2.0 application in Okta.
3. Retrieve SAML setup information from Okta and add it to Infobip.
4. Assign users to the Okta application.
5. (Optional) Enable auto-create users and groups.

___

## Implementation steps

### Configure SSO on the Infobip web interface [#configure-sso-infobip]

1. Log in to the [**Infobip web interface**](https://portal.infobip.com/login).
2. Go to **Account settings** → **Security** → **Single Sign-On (SSO)**.
3. Select **Configure** to open the SSO setup page.
4. Enter a meaningful **SP Entity ID** (also called your custom domain). This automatically generates the **SP Assertion Consumer Service (ACS) URL**.
5. Note the **SP Initiation URL**. Users use this URL to initiate SSO login.

NOTE
The SSO configuration is fully **self-service**. No additional data is required from Infobip as the Service Provider. All necessary details are provided during the setup process.

### Create and configure the Okta application [#create-configure-okta-app]

1. Log in to the **Okta Admin Console**.
2. Go to **Applications** → **Create App Integration**.
3. Select **SAML 2.0** as the sign-in method and proceed.
4. Fill in the following fields in Okta using data from the Infobip web interface:
   - **Single sign on URL**: In the Infobip web interface, fill in your custom domain for **SP Initiation URL**, then copy the **SP Assertion Consumer Service URL** from there and paste it into this field in Okta. Example: `https://portal.infobip.com/login/saml/mycustomdomain/callback`. This is the URL you need to use to actually log in with this SSO.
   - **Audience URI (SP Entity ID)**: Copy the **SP Entity ID** from the Infobip web interface and paste it into this field in Okta. Example: `https://portal.infobip.com/login/saml/mycustomdomain`
5. Enable **Use this for Recipient and Destination URL** for the Single sign on URL.
6. **Save** the application.

### Retrieve Okta SAML setup information [#retrieve-okta-saml-info]

1. In the Okta Admin Console, open your created application.
2. Go to the **Sign On** tab.
3. Scroll down and select **View SAML setup instructions**.
4. Copy the following values from the Okta SAML instructions page into the corresponding fields in the Infobip SSO configuration:
   - **IdP Login URL**: Copy the **Identity Provider Single Sign-On URL** from Okta and paste it into the **IdP Login URL** field in the Infobip web interface SSO setup.
   - **Identity Provider Issuer**: Copy the **Identity Provider Issuer** from Okta and paste it into the **Identity Provider Issuer** field in the Infobip web interface SSO setup.
   - **IdP Signature Certificate**: Copy the **X.509 Certificate** from Okta (or download and open with a text editor) and paste it into the **IdP Signature Certificate** field in the Infobip SSO setup.

NOTE
Before saving the X.509 certificate in the Infobip SSO configuration, you must **remove all new lines** from the certificate text. You can use the find and replace feature in a text editor like Notepad++ to remove line breaks.

### Assign users to the Okta application [#assign-users-okta]

1. In the Okta Admin Console, go to **Applications**.
2. Select your SAML application.
3. Go to the **Assignments** tab and select **Assign**.
4. Choose **Assign to People** or **Assign to Groups**.
5. Assign the users or groups who should have access to Infobip through SSO.

### Optional: Enable auto-create users and groups [#enable-auto-create]

To allow automatic user and group creation in Infobip upon SSO login, configure the following settings.

#### Auto-create users

In the Infobip SSO configuration, enable **Auto-create users**. When enabled, Infobip automatically creates a user account upon the first successful SSO login.

#### Auto-create groups

1. In the Infobip SSO configuration, enable **Auto-create groups**. When enabled, Infobip synchronizes user groups from Okta on each login.
2. In the Okta SAML application, configure the following **Group Attribute Statement**:
   - **Name**: `http://schemas.xmlsoap.org/claims/Group`
   - **Name format**: Basic
   - **Filter**: Matches regex (configure as needed)

NOTE
Infobip automatically creates teams that match the Okta groups and assigns users accordingly. After team creation, you must **manually assign roles** to the teams for permissions to take effect.

___

## Additional configuration and security

- **Regularly rotate certificates and secrets**: Update certificates and secrets on both Okta and Infobip periodically to maintain security.
- **Monitor audit logs**: Track SSO login activities in Infobip audit logs to identify unauthorized access attempts or configuration issues.

___

## Testing

To verify the SSO integration:

1. Open the **SP Initiation URL** (for example, `https://portal.infobip.com/login/saml/mycustomdomain`) in a browser. Alternatively, go to the Infobip login page and select **Login with SSO**.
2. You are redirected to Okta for authentication.
3. Log in with an Okta user account that is assigned to the application.
4. After successful authentication, Okta sends a SAML response to Infobip.
5. Infobip processes the response and grants access to the web interface.

NOTE
If auto-create users is enabled, a new user account is automatically created in Infobip upon the first successful login. If auto-create users is disabled, the user must already exist in Infobip with an email address that matches the `NameID` in the SAML response.

___

## Troubleshooting

- Verify that the **SP Entity ID** and **Audience URI** match exactly on both the Infobip and Okta sides.
- Ensure the **Single sign on URL** in Okta matches the **SP Assertion Consumer Service URL** from Infobip.
- Confirm that the `NameID` format is set to **EmailAddress** in the Okta application.
- Check that users are assigned to the Okta application.
- Remove all new lines from the **X.509 certificate** before saving it in Infobip.
- Use the **SP Initiation URL** to test the login flow.
- Review SAML response attributes if login fails.
- Infobip supports only the **SP-initiated** SAML flow.

___

## Additional resources

- [Configure Single Sign-On (SSO) in account settings](https://www.infobip.com/docs/essentials/manage-my-account/account-settings#configure-single-sign-on-sso-security-settings)
- [Account access and login options](https://www.infobip.com/docs/essentials/manage-my-account/account-access)
- [Security recommendations](https://www.infobip.com/docs/essentials/manage-my-account/security-recommendations)