[comment]: # ({430c433d-430c433d})
# 10 SAML setup with Okta

This section describes how to configure Okta to enable SAML 2.0
authentication for Zabbix.

[comment]: # ({/430c433d-430c433d})

[comment]: # ({840bcc38-012c5d63})
#### Okta configuration

1\. Go to <https://okta.com> and register or sign in to your account.

2\. In the Okta web interface navigate to *Applications → Applications*
and press "Add Application" button
(![](../../../../assets/en/manual/appendix/install/okta_add_app.png)).

3\. Press "Create New App" button
(![](../../../../assets/en/manual/appendix/install/okta_create_app.png)).
In a popup window select *Platform:* Web, *Sign on method:* SAML 2.0 and
press "Create" button.

![](../../../../assets/en/manual/appendix/install/okta_app1.png){width="600"}

4\. Fill in the fields in the *General settings* tab (the first tab that
appears) according to your preferences and press "Next".

5\. In the *Configure SAML* tab enter the values provided below, then
press "Next".

-   In the **GENERAL** section:
    -   *Single sign on URL*:
        https://<your-zabbix-url>/ui/index\_sso.php?acs<br>
        The checkbox *Use this for Recipient URL and Destination URL*
        should be marked.
    -   *Audience URI (SP Entity ID)*: zabbix<br>
        Note that this value will be used within the SAML assertion as
        a unique service provider identifier (if not matching, the
        operation will be rejected). It is possible to specify a URL or
        any string of data in this field.
    -   *Default RelayState*:<br>
        Leave this field blank; if a custom redirect is required, it can
        be added in Zabbix in the *Administration → Users* settings.
    -   Fill in other fields according to your preferences.

![](../../../../assets/en/manual/appendix/install/okta_app2.png)

::: noteclassic
 If planning to use encrypted connection, generate private
and public encryption certificates, then upload public certificate to
Okta. Certificate upload form appears when *Assertion Encryption* is set
to Encrypted (click *Show Advanced Settings* to find this parameter).

:::

-   In the **ATTRIBUTE STATEMENTS (OPTIONAL)** section add an attribute
    statement with:
    -   *Name:* usrEmail
    -   *Name format:* Unspecified
    -   *Value:* user.email

![](../../../../assets/en/manual/appendix/install/okta_app3.png)

6\. At the next tab, select "I'm a software vendor. I'd like to
integrate my app with Okta" and press "Finish".

7\. Now, navigate to *Assignments* tab and press the "Assign" button,
then select *Assign to People* from the drop-down.

![](../../../../assets/en/manual/appendix/install/okta_assign.png)

8\. In a popup that appears, assign created app to people that will use
SAML 2.0 to authenticate with Zabbix, then press "Save and go back".

9\. Navigate to the *Sign On* tab and press the "View Setup
Instructions" button. Setup instructions will be displayed in a new tab;
keep this tab open while configuring Zabbix.

![](../../../../assets/en/manual/appendix/install/okta_setup.png)

[comment]: # ({/840bcc38-012c5d63})

[comment]: # ({81a4bfa0-81a4bfa0})
#### Zabbix configuration

1\. In Zabbix, go to SAML settings in the *Administration →
Authentication* section and copy information from Okta setup
instructions into corresponding fields:

-   Identity Provider Single Sign-On URL → SSO service URL
-   Identity Provider Issuer → IdP entity ID
-   Username attribute → Attribute name (usrEmail)
-   SP entity ID → Audience URI

2\. Download the certificate provided in the Okta setup instructions
page into *ui/conf/certs* folder as idp.crt, and set permission 644 by
running:

    chmod 644 idp.crt

Note that if you have upgraded to Zabbix 5.0 from an older version, you
will also need to manually add these lines to zabbix.conf.php file
(located in the //ui/conf/ // directory):

    // Used for SAML authentication.
    $SSO['SP_KEY'] = 'conf/certs/sp.key'; // Path to your private key.
    $SSO['SP_CERT'] = 'conf/certs/sp.crt'; // Path to your public key.
    $SSO['IDP_CERT'] = 'conf/certs/idp.crt'; // Path to IdP public key.
    $SSO['SETTINGS'] = []; // Additional settings

See generic [SAML
Authentication](/manual/web_interface/frontend_sections/administration/authentication#saml_authentication)
instructions for more details.

3\. If *Assertion Encryption* has been set to Encrypted in Okta, a
checkbox "Assertions" of the *Encrypt* parameter should be marked in
Zabbix as well.

![](../../../../assets/en/manual/appendix/install/okta_zabbix.png)

4\. Press the "Update" button to save these settings.

::: noteclassic
 To sign in with SAML, user alias in Zabbix should match his
Okta e-mail. This settings can be changed in the *Administration →
Users* section of Zabbix web interface. 
:::

[comment]: # ({/81a4bfa0-81a4bfa0})