Okta SAML IdP

Setup

Follow Okta’s Create custom SAML app integrations instructions to configure Okta as a SAML IdP.

Note: Set up Datadog as an Okta application manually. Do not use the preconfigured Datadog application.

Okta IDP Input Field	Expected Value
Single Sign On URL	Assertion Consumer Service URL (Find this URL on the Configure SAML page, in the Assertion Consumer Service URL field.)
Recipient URL	Assertion Consumer Service URL (or click the Use this for Recipient URL and Destination URL checkbox)
Destination URL	Assertion Consumer Service URL (or click the Use this for Recipient URL and Destination URL checkbox)
Audience URI (SP Entity ID)	Service Provider Entity ID (Find this ID on the Configure SAML page, in the Service Provider Entity ID field.)
Name ID Format	EmailAddress
Response	Signed
Assertion Signature	Signed
Signature Algorithm	SHA256
Assertion Encryption	Assertions can be encrypted, but unencrypted assertions are also accepted.
SAML Single Logout	Disabled
authnContextClassRef	PasswordProtectedTransport
Honor Force Authentication	Yes
SAML Issuer ID	`http://www.okta.com/${org.externalKey}`

Name	Name Format (optional)	Value
NameFormat	URI Reference	`urn:oasis:names:tc:SAML:2.0:attrname-format:uri`
sn	URI Reference	`user.lastName`
givenName	URI Reference	`user.firstName`

This is required only if you are using AuthN Mapping.

Name	Name Format (optional)	Value
memberOf	Unspecified	Matches regex `.*` (This method retrieves all groups. Contact your IDP administrator if this does not fit your use case.)

Additional information on configuring SAML for your Datadog account is available on the SAML documentation page.

In the event that you need to upload an IDP.XML file to Datadog before being able to fully configure the application in Okta, see acquiring the idp.xml metadata file for a SAML template App article for field placeholder instructions.