# Using Okta as an IdP (SAML Integration)

You can configure Okta as a SAML-based Identity Provider (IdP) for Tellius by setting up a custom SAML application in your Okta dashboard. This setup enables secure single sign-on (SSO), so users can log in to Tellius using their corporate Okta credentials.

1. Go to <https://admin.okta.com>. Make sure you are in the correct organization/tenant where you want to manage access to Tellius.
2. Navigate to **Applications** **→** **Applications** (left sidebar). Click on **Add Application**.

<figure><img src="https://content.gitbook.com/content/VXyBWnsg0T2tHBl87viA/blobs/PKSgEGyqhlEkDaHxc1qD/image.png" alt="" width="563"><figcaption><p>Add Application</p></figcaption></figure>

3. In the dialog box, select **Platform** as *Web*. Choose **Sign-on method** as *SAML 2.0* and click on **Create**.

<figure><img src="https://content.gitbook.com/content/VXyBWnsg0T2tHBl87viA/blobs/O5ArrzozjQrQdGFDdjPw/image.png" alt="" width="563"><figcaption><p>New App Integration</p></figcaption></figure>

4. Provide an **App name**. Optionally, add a logo and description. Click on **Next**.

<figure><img src="https://content.gitbook.com/content/VXyBWnsg0T2tHBl87viA/blobs/F6ZmaFiELZogVFPwX2tl/image.png" alt="" width="563"><figcaption><p>Provide App name</p></figcaption></figure>

5. Fill in the following fields:

* **Single Sign-On URL:** `https://<YOUR_TELLIUS_URL>/sso/sp/consume/idp1`

  Replace `<YOUR_TELLIUS_URL>` with your actual Tellius instance URL.
* **Audience URI (SP Entity ID):** This must be exactly `tellius`.
* **Default RelayState:** `/saml_callback`

<figure><img src="https://content.gitbook.com/content/VXyBWnsg0T2tHBl87viA/blobs/VvHoIfKFIbWQrmwgWbGp/image.png" alt=""><figcaption><p>SAML Settings</p></figcaption></figure>

6. These are used to map user identity fields from Okta to Tellius. Add the following attributes. These ensure that Tellius can correctly identify and create user profiles.

* firstName - `user.firstName`
* lastName - `user.lastName`
* email - `user.email`

<figure><img src="https://content.gitbook.com/content/VXyBWnsg0T2tHBl87viA/blobs/UdMvCXV39vvujEc2v2fD/image.png" alt="" width="563"><figcaption><p>Attribute mapping</p></figcaption></figure>

7. Set the **App type** to `Internal` if this app is for your organization’s internal users and click on **Finish**.

<figure><img src="https://content.gitbook.com/content/VXyBWnsg0T2tHBl87viA/blobs/Q0S6HZu1gwBKzharYIQd/image.png" alt="" width="563"><figcaption><p>Internal ap</p></figcaption></figure>

8. Once the application is created, you'll be redirected to the application’s **Settings Overview**. Click on **View Setup Instructions** (top-right corner).
9. A new tab will open containing detailed SAML configuration. Scroll to the bottom and locate the **Identity Provider Metadata**.
10. Click to **download the XML file**.
11. Once you have the metadata XML, follow the standard Tellius SAML configuration instructions:

* Go to `Settings` > `Security` > `Authentication`
* Select `SAML` as the authentication method.
* Upload the metadata XML.
* Save and confirm.

From now on, users who try to access Tellius will be redirected to your Okta login screen. After successful login, they’ll be automatically provisioned and signed into Tellius using the mapped attributes.

Users are auto-created in Tellius on their first login if their email matches the SAML mapping.