Skip to content


Follow the steps documented below to integrate your Rafay and Okta Orgs for Single Sign On (SSO).


Only users with "Organization Admin" privileges can configure SSO in the Rafay Console.

Step 1: Create IdP in Rafay

  • Login into the Rafay Console as an Organization Admin.
  • Click on System and IdPs
  • Click on "New IdP"
  • Provide a name, select "Okta" from the drop down
  • Enter the "domain" for which you would like to enable SSO

  • Optionally, toggle "Encryption" if you wish to send/receive encrypted SAML assertions

  • Provide a name for the "Group" attribute
  • Click on Save & Continue

Create IdP


Encrypting SAML assertions is optional because privacy is already provided at the transport layer using HTTPS. Encrypted assertions provide an additional layer of security on top ensuring that only the SP (Rafay Org) can decrypt the SAML assertion.

Step 2: View SP Details

The Rafay IdP configuration wizard will display critical information that you need to copy/paste into your Okta Org. Provide the following information to your Okta administrator.

  • Assertion Consumer Service (ACS) URL
  • SP Entity ID
  • Name ID Format

View SP Details

Step 3: Create Rafay App in Okta

  • Login into your Okta Org as an Administrator
  • Select Applications and Create a New App
  • Select "SAML 2.0" for Sign on method
  • Click on Create

Create App Integration

Step 4: General Settings

In step 1 of the application configuration wizard

  • Enter "Rafay Systems" for the application name
  • Upload the Rafay Logo

General Settings

Step 5: Configure SAML

In step 2 of the application configuration wizard

  • Copy/Paste the Rafay ACS URL from Step 2 into the "Single sign on URL"
  • Copy/Paste the SP Entity ID from Step 2
  • Select "Email Address" in the Name ID format dropdown

Configure SAML

In the Group Attribute Statements section, - Provide the name for the "Group", select the "Matches regex" filter and ".*" for the value.

The "Group" configuration step is critical because it will ensure that Okta will send the groups the user belongs to as part of the SSO process. Rafay uses the group information to transparently map users to the correct group/role. In the illustrative example below, we are using "Rafay" as the name of the group.

Configure SAML

Complete the Feedback portion of the Okta app wizard.

Step 6: Specify IdP Metadata

Copy the "Identity Provider Metadata" URL from the Rafay App

IdP Metadata

  • Navigate back to the Rafay Console's IdP configuration wizard
  • Paste the Identity Provider Metadata URL from Okta
  • Complete IdP Registration

Create App Integration

  • Once this process is complete, you can view details about the IdP configuration on the Identity Provider page.
  • You can also edit and update the configuration if required.

Completed IdP

Step 7: Assign Users and Groups

Once the Rafay and Okta Orgs are integrated using the steps documented above, customers need to create and assign "Groups" in Okta to the Rafay application.

In the example below, the Okta group "RafayOrgAdmins" has been assigned to the Rafay App in Okta. Multiple Okta users can be added/removed from this group.

Assign Groups

An identical named group needs to be created on Rafay. Ensure that this group is mapped to the appropriate Projects with the correct privileges. In the example below, the Rafay Group "RafayOrgAdmins" is configured as an "Organization Admin" with access to all Projects.

Assign Groups

It is important to emphasize that because of SSO via Okta, user lifecycle management can be completely offloaded to the IdP. In the example below, note that there are no users managed in the "RafayOrgAdmins" group because they are all managed in the attached Okta Org.

Users in Group