Using Okta as an External IDP with SAML

Follow the instructions below to connect Okta as a third party Identity Provider to WSO2 API Manager.


Before you begin, make sure you do the following.

  1. Create an account in
  2. Download WSO2 API Manager 4.0.0 distribution from
  3. Unzip the distribution and open the deployment.toml file located in <APIM_HOME>/repository/conf/. Add the following configuration
    enable_email_domain= true
    You need to enable this because Okta uses the email as the username by default. To use the email as the username in WSO2 API Manager you have to enable it as it is not enabled by default. Once enabled, you can use your email or a normal username as your username.
  4. Start the WSO2 API Manager server.

Step 1 - Configure Okta

  1. Login to the Okta developer console and switch to the classic UI.

  2. Go to Applications -> Add Application. Add new Okta SAML application

  3. Click Create New Application. Create new Okta SAML application

  4. Select Web as the Platform. Select SAML 2.0 as the sign-on method. Create a new application integration

  5. Enter the General Settings as shown in the images below. Enter application name

    Enter application details


    Audience URI should be same as the identity provider entity id name that is created in WSO2 API Manager

  6. Inside the SAML app you created go to Sign On and click View Setup Instructions.

    View Setup Instructions

    1. Scroll up to the Provide the following IDP metadata to your SP provider section. Copy and save the details given to a xml file.

      Copy and save xml

    2. Go to Assignments -> Assign. Click Assign to People and assign your current user.

      Assign your current user

  7. Switch back to the Developer Console shown in step 1.

  8. Follow these steps to add a new attribute to the default user profile of Okta to represent the user role.

    1. Navigate to Users -> Profile Editor and click the pencil icon to edit the default profile.

      Edit the default profile in the Profile Editor

    2. Click Add Attribute to add new user attributes.

      Add new attribute

  9. Enter the user attributes shown in the image below. Click Save.

    Add new attributes

  10. Follow the steps below to edit the user profile.

    1. Go to Users -> People and click on your profile name.

    2. Click Edit to change the profile details.

    3. Add the Role. This will be used in the API Manager to map an internal role to the provisioned user.

Step 2 - Configure API Manager

  1. Login in to https://localhost:9443/carbon.

  2. Create a role that needs to be assigned to users that will be provisioned from Okta.

    1. Go to Users and Roles.

    2. Add a new role.

    3. Assign the following permissions to the role and click Save.

  3. Add role permissions via the WSO2 API Manager Admin Portal.

    1. Sign in to the WSO2 API Manager Admin Portal.


    2. Click Settings and then click Role Permissions.

      Okta API-M role pemission mapping

    3. Click Add role permission.

    4. Enter okta_role in the Provide role name field and click Next.

      Edit Okta API-M role pemission mapping

    5. Go to Select permissions, click Custom permissions, and start assigning the permissions as shown below.

      These permissions will allow a user having the okta_role to login to Publisher and Developer Portals.

      Okta API-M role pemission mapping

      Okta API-M role pemission mapping

      Okta API-M role pemission mapping

      Okta API-M role pemission mapping

      Okta API-M role pemission mapping

      Okta API-M role pemission mapping

    6. Click Save to save your changes.


    If you want your user to perform analytics-based tasks, you should add the okta_role to the required analytics scopes according to your preference. The steps below are given as an example.

    1. Sign in to the API-M Management Console. https://localhost:9443/carbon

    2. Navigate to Main > Resources > Browse.

    3. Enter /_system/config/apimgt/applicationdata/tenant-conf.json as the location and click Go to browse the registry and locate the required resource.

    4. Update the RESTAPIScopes JSON field by adding okta_role to the Roles field under the corresponding Name fields as shown below for the analytics related scopes.

          "Name": "apim_analytics:api_analytics:view",
          "Roles": "admin,Internal/creator,Internal/publisher,okta_role"
          "Name": "apim_analytics:application_analytics:view",
          "Roles": "admin,Internal/subscriber,okta_role"

    5. Click Save Content.
  4. Add an Identity Provider.

    1. Sign in to the WSO2 API-M Management Console.


    2. Click Main and then click Add under Identity Providers.

    3. Enter the Identity Provider's Name.

      Add an IDP for Okta SAML

    4. Expand Federated authenticators -> OAuth2/OpenID Connect Configuration and add the following details.

      API-M IDP OIDC details

      Field Sample value
      Enable OAuth2/OpenIDConnect True
      Client id You can find this value from the Okta application that you created.
      Client secret You can find this value from the Okta application that you created.
      Authorization Endpoint URL https://your_okta_url/oauth2/default/v1/authorize
      Token Endpoint URL https://your_okta_url/oauth2/default/v1/token
      callback url https://localhost:9443/commonauth
      Userinfo Endpoint URL https://your_okta_url/oauth2/default/v1/userinfo
      Logout Endpoint URL https://your_okta_url/oauth2/default/v1/logout
      Additional Query Parameters scope=openid%20profile

    5. Expand Claim Configuration -> Basic Claim Configuration. Add the claim configurations as shown in the image below.

      Okta API-M IDP claims details

    6. Expand Role configuration and add okta_role as shown below.

      You can check if the user logged in has the role any and assign the local okta_role.

    7. Enable Just-in-Time Provisioning for the user to be saved in the API Manager user store.


    When Just-In-Time Provisioning is enabled, the user details will be saved in the API Manager user store. User profile details will be updated via the federation following each login event. To preserve the user profile details without any changes you need to enable SystemRolesRetainedProvisionHandler.

    Add the following to the <API-M_HOME>/repository/conf/deployment.toml file and restart the server.

    provisioning_handler = "org.wso2.carbon.identity.application.authentication.framework.handler.provisioning.impl.SystemRolesRetainedProvisionHandler"
  5. Update the Service Providers.

    1. Click Service Providers -> List in the WSO2 API-M Management Console.

      There are two service providers available by default; apim_publisher and apim_devportal.

    2. Click Edit to edit apim_publisher.


      You need to have signed in to the Developer Portal and Publisher at least once for the two service providers to appear, as it is created during the first sign in.

      Okta API-M role OIDC SP

    3. Expand Local & Outbound Authentication Configuration under Federated Authentication and select the identity provider you created.

      Okta API-M role OIDC SP outbound

    4. Repeat the latter mentioned two steps for apim_devportal.

Now you will be able to Sign in to the Publisher and Developer Portal using Okta.