Set up SAML for Okta

Warning: The following instructions allow you to configure SAML SSO for the first time without help from Pendo Support. If you have one or more existing SAML SSO configurations that you want to add to or edit, contact Pendo Support instead.

This article describes how to set up SAML for Okta, which is a prerequisite for setting up SCIM for Okta so that you can create, remove, and update users in Pendo, and push groups into Pendo for configuring permissions.

SAML features

SAML for Okta supports the following features:

• SP-initiated single sign-on (SSO)
• IdP-initiation single sign-on (SSO)

For information about these features, see the Okta Glossary.

Prerequisites

• Organization admin rights for your company’s Pendo account.
• Administrator rights in your company’s Okta account.
• A new or existing SAML configuration in Okta.
• A SAML and SCIM-enabled Pendo subscription. For information, contact your Pendo representative.
• SAML enforced in your Pendo subscription. Contact Pendo Support to configure SAML for your subscription. For more information, see SAML Single Sign-On (SSO) overview.

Step 1. Verify your domain

Before you can add your SSO configuration to Pendo, you must verify your domain to show that you own it. You can only assign a SAML configuration to a verified domain, which means you can't complete the SAML SSO setup until you've verified one or more domain you want to use. For instructions, see Verify your domain.

Step 2. Create a SAML app integration

Create a new Pendo SAML app integration in Okta. You must set up your Pendo application in Okta even if you already have an Okta configuration. You can replace your existing Okta configuration by creating a new application to enable SCIM for your account. For more information, see Okta’s How to Configure SAML 2.0 for Pendo.

1. Sign in to your Okta account and select Admin.
2. Select the Pendo application.
3. In the Sign On tab, set the Default Relay State to the value corresponding with your region. Select the appropriate URL for your subscription’s data center.
   • US: https://pingone.com/1.0/c1dc3d4d-f04b-4c71-902f-af4895a57c21
   • US1: https://pingone.com/1.0/d65656ad-caef-4a4d-99d7-e998b6f0d97f 
   • EU: https://pingone.com/1.0/2e51bcef-d8c5-4e12-b145-9d94e09d7bb5 
   • JP: https://pingone.com/1.0/5d4212e1-4feb-4d30-b933-6bfda633d532
4. In the same Sign On tab, set the Application username format to Email. 

Step 3. Configure SAML SSO in Pendo

Configuring SAML SSO involves sharing your metadata XML with Pendo. For this, you can either:

• [Preferred] Copy the URL from View SAML setup instructions on the Sign On tab in the Okta Pendo app.
• Download the SAML IdP metadata XML file from the SAML setup instructions section of your app in Okta.

To add your SSO configuration to Pendo:

1. In Pendo, go to Settings > Organization settings.
2. Open the SSO tab.
3. Select + Add new configuration.
4. Use the Domain dropdown menu to select the domain.
5. Select Okta as your IdP.
6. Select how you want to share your metadata XML with Pendo, which can be either:
   • URL (preferred), which is provided by your IdP.
   • Metadata (XML), which is an XML file that you download from your IdP.
7. Optionally, select Sign AuthNRequest according to your business needs and policies.
8. Enter a Technical contact. This should be an email address for someone or a team that manages the IdP at your organization.
9. Select Save configuration. The configuration is added to the SAML Configurations table in the SSO tab.
10. Verify that the configuration is set up correctly by attempting to sign in on another browser. If you can't sign in, modify the configuration and repeat the process from steps 4 to 10, ensuring that you have the most up-to-date metadata XML file from your IdP.

If you or other users can't sign in, or if you can't set up the configuration correctly, contact Pendo Support.

Next steps

Setting up SAML SSO for Okta is a prerequisite to enabling SCIM for Okta. For next steps, see Set up SCIM for Okta.