Okta SAML IdP

Setup

Follow Okta’s Create SAML app integrations docs to configure Okta as a SAML IdP.

Note: It’s recommended that you set up Datadog as an Okta application manually, as opposed to using a pre-configured configuration.

Note: US1 customers can use the preset configuration in Okta’s How to Configure SAML 2.0 for Datadog docs to configure Okta as a SAML IdP.

Okta IDP Input Field	Expected Value
Single Sign On URL	Assertion Consumer Service URL (Find this URL on the Configure SAML page, in the Assertion Consumer Service URL field.)
Recipient URL	Assertion Consumer Service URL (or click the Use this for Recipient URL and Destination URL checkbox)
Destination URL	Assertion Consumer Service URL (or click the Use this for Recipient URL and Destination URL checkbox)
Audience URI (SP Entity ID)	Service Provider Entity ID (Find this URL on the Configure SAML page, in the Service Provider Entity ID field.)
Name ID Format	EmailAddress
Response	Signed
Assertion Signature	Signed
Signature Algorithm	SHA256
Assertion Encryption	Assertions can be encrypted, but unencrypted assertions are also accepted.
SAML Single Logout	Disabled
authnContextClassRef	PasswordProtectedTransport
Honor Force Authentication	Yes
SAML Issuer ID	`http://www.okta.com/${org.externalKey}`

Name	Name Format (optional)	Value
NameFormat	URI Reference	`urn:oasis:names:tc:SAML:2.0:attrname-format:uri`
sn	URI Reference	`user.lastName`
givenName	URI Reference	`user.firstName`

This is required only if you are using AuthN Mapping.

Name	Name Format (optional)	Value
memberOf	Unspecified	Matches regex `.*` (This method retrieves all groups. Contact your IDP administrator if this does not fit your use case.)

Additional information on configuring SAML for your Datadog account is available on the SAML documentation page.

In the event that you need to upload an IDP.XML file to Datadog before being able to fully configure the application in Okta, see acquiring the idp.xml metadata file for a SAML template App article for field placeholder instructions.