Log in to the Okta admin dashboard for your organization.

For most companies, the login page will be https://login.okta.com/.

Click on Applications in the Applications list.

Click on Add Application.

Click on Create New App.

Select Web from the Platform options.

Select SAML 2.0 as the Sign on method.

Type a display name for your Dozuki site into the App name field.

For customers with a single Dozuki site, we recommend using Dozuki as the display name.

Click the Next button at the bottom of the window.

Open the management console of your Dozuki site in another browser window.

From the Configuration section in the sidebar menu, select Security.

Download the SAML `metadata.xml` file.

Open this file with text editor.

Under Single sign on URL, enter the URL of the page on your Dozuki site that you want your users to reach once signing in.

Enter the SP Entity ID.

Refer to the values in the SAML `metadata.xml` file.

Leave Advance Setting at default.

Enter userid into the Name field.

Enter user.id into the Value field.

If your company uses additional unique identifiers for your users, you can use those attributes instead of user.id.

Click on Add Another.

Enter username into the Name field.

Enter user.displayName into the Value field.

Click on Add Another.

Enter email into the Name field.

Enter user.email into the Value field.

Verify the Response is signed.

While Dozuki will accept the either the entire Reponse or the Assertion Signature, signing the Response provides an additional level of protection for the Response message while being sent over the network.

Verify Assertion Encryption is Unencrypted.

Dozuki does not currently support encrypted assertions.

Verify Single Logout (SLO) is unchecked.

Dozuki does not currently provide a public certification that Okta requires to support SLO.

Verify Honor Force Authentication is set to Yes.

In order to support SSO signoffs, Dozuki requires the re-entry of credentials for sign-offs. If set to No, when a user clicks the sign-off button, the sign-off would be completed without requiring the user to re-enter their credentials.

In the SAML Settings setup section, click the Download Okta Certificate.

Save the certificate file when prompted.

Open the certificate in a text editor.

Scroll down and click the Next button to save your changes and continue with the setup.

Open the management console of your Dozuki site in another browser window.

From the Configuration section in the sidebar menu, select Security.

Under the Authentication heading section of the Security page, click on SAML: Identity Provider X.509 Certificate.

Copy the body of certificate from your text editor.

The certificate should be formatted similar to the example shown under the Authentication section.

Paste the certificate into the text field.

Click the Save button to save your changes.

Click on the SAML: Identity provider URL heading under Authentication.

Under the Application section in the Okta portal, click on the app icon for Dozuki.

Select the Sign On Tab.

Click on the View Setup Instructions button.

Paste the Identity Provider Issuer into the SAML 2.0: Identity Provider ID text field in your Dozuki site.

Click the Save button to save your changes.

Click on the SAML: Identity provider URL heading under Authentication.

From the Set up Instructions in the Okta portal, Copy the Identity Provider Single Sign-On URL.

Paste the Identity Provider Single Sign-On URL into the Test a SAML identity provider URL text field in your Dozuki site to test the SSO connection.

We recommend testing the SAML connection through your Dozuki site before enabling SAML 2.0 as the authentication mechanism. Testing the connection from within Dozuki will prevent disruption to your active site and current users.

Once the connection test succeeds, paste the Identity Provider Single Sign-On URL into the SAML: Identity provider URL field.

Click the Save button to save your changes.

In the Okta portal, Click on the Application section from the header.

Click the Dropdown button next to your application.

Select Assign to Users or Assign to Groups to add users and groups.

You can read more about assigning users and assigning groups in Okta.

Click on the Single sign on heading under Authentication.

Click on the Single Sign On type dropdown menu.

Select SAML 2 from the dropdown menu.

Click the Save button to save your changes.

Once SSO is enabled on your Dozuki site, you have the option to add a role attribute prefix. This helps when syncing to third-party IdPs and will allow roles to be passed as `dozuki-<role>` (`dozuki-admin`, `dozuki-author`, etc.)

Dozuki defined roles (admin, author, user, etc.) cannot be customized.

Click Edit.

Add your desired role attribute prefix.

Click Save.

Your role attribute prefix will be displayed.

Once Single Sign On is enabled, SSO auth for signoffs & approvals will appear in the Authentication section of the Security settings.

This feature allows users to enter their SSO authentication for Signoffs and Approvals instead of a separate Dozuki password.

SSO auth for signoffs & approvals is enabled by default when you enable SSO authentication.

Only disable SSO authentication for signoffs & approvals if you want your users to enter a separate Dozuki password for signoffs and approvals.