Using Okta as an IdP (SAML Integration)

You can configure Okta as a SAML-based Identity Provider (IdP) for Tellius by setting up a custom SAML application in your Okta dashboard. This setup enables secure single sign-on (SSO), so users can log in to Tellius using their corporate Okta credentials.

1. Go to https://admin.okta.com. Make sure you are in the correct organization/tenant where you want to manage access to Tellius.

2. Navigate to Applications → Applications (left sidebar). Click on Add Application.

1. In the dialog box, select Platform as Web. Choose Sign-on method as SAML 2.0 and click on Create.

1. Provide an App name. Optionally, add a logo and description. Click on Next.

1. Fill in the following fields:

• Single Sign-On URL: https://<YOUR_TELLIUS_URL>/sso/sp/consume/idp1

  Replace <YOUR_TELLIUS_URL> with your actual Tellius instance URL.

• Audience URI (SP Entity ID): This must be exactly tellius.

• Default RelayState: /saml_callback

1. These are used to map user identity fields from Okta to Tellius. Add the following attributes. These ensure that Tellius can correctly identify and create user profiles.

• firstName - user.firstName

• lastName - user.lastName

• email - user.email

1. Set the App type to Internal if this app is for your organization’s internal users and click on Finish.

1. Once the application is created, you'll be redirected to the application’s Settings Overview. Click on View Setup Instructions (top-right corner).

2. A new tab will open containing detailed SAML configuration. Scroll to the bottom and locate the Identity Provider Metadata.

3. Click to download the XML file.

4. Once you have the metadata XML, follow the standard Tellius SAML configuration instructions:

• Go to Settings > Security > Authentication

• Select SAML as the authentication method.

• Upload the metadata XML.

• Save and confirm.

From now on, users who try to access Tellius will be redirected to your Okta login screen. After successful login, they’ll be automatically provisioned and signed into Tellius using the mapped attributes.

Users are auto-created in Tellius on their first login if their email matches the SAML mapping.