# SSO with Okta

### Vectra configuration <a href="#vectra-configuration" id="vectra-configuration"></a>

Vectra’s SAML and your Identity Provider settings need to be configured in parallel. To start, log in to your Vectra account as an administrator.

1. Navigate to **Settings > SSO** and enable **SAML Single Sign-on**:
2. Copy the **Assertion consumer service (ACS) URL** in the **SAML Single Sign-On Settings** page that appears.. It will be needed as input into Auth0 later.

### Okta Walkthrough <a href="#okta-walkthrough" id="okta-walkthrough"></a>

1. Navigate to **Applications**. Click **Create App Integration** and choose **SAML 2.0**.

![](/files/VOuxw0dnWMmUpEDHxC1Z) ![](/files/mNu33rEqLt8M4jS4QREh)

2. Provide the application name and logo. In the **General Settings** section, enter the following values into the corresponding fields:

   1. **App name**: Vectra
   2. **App logo** (optional):

   ![Vectra logo (right-click and save as to use)](/files/iJDkJ74cr8tSwvt2EcZn) Vectra logo (right-click and save as to use)

![](/files/hcwJP4FqF3lm7PSYvZiB)

3. Lookup/Copy SAML Integration values. You will need to reference the following information from the Vectra portal: Assertion Consumer Service, Entity ID, and account shortname. These values are found in the **Vectra Service Provider Settings** section in the **Essentials** area in **SAML Single Sign-On Settings**:
   * ![](/files/1G5uaOapJFvrUSfPP2go)
4. In Okta, configure the General SAML Settings.
   1. **Single sign on URL**: Constructed using your account shortname. This URL will be the following: [https://fusion.netography.com/sso/\<shortname](https://fusion.netography.com/sso/%3Cshortname). Replace `<shortname>`with your company's identifier. This can be found in the upper right (just under your name, in red) of the Vectra portal.
   2. **Use this for Recipient URL and Destination URL**: uncheck
   3. **Allow this app to request other SSO URLs**: check
   4. **Requestable SSO URLs**: Paste the *Assertion consumer service URL* found in the Vectra portal
   5. **Recipient UR**L: Paste the same *Assertion consumer service URL* as above
   6. **Destination URL**: Paste the same *Assertion consumer service URL* as above
   7. **Audience URI (SP Entity ID)**: Paste the *Entity ID* found in the Vectra portal

![](/files/c9ZdyY21UdXjVOhnu3rO)

5. Configure SAML attributes.
   1. Fill the **Attribute Statements** section by completing the fields as indicated below:

![](/files/1dzqO3xvgxza2ho3CRg3)

2. Fill the **Group Attribute Statements** section by completed the fields as indicated below:

![](/files/YmmXIi079yaTb4rDwv73)

!!! Note\
You will need to assign users to these groups.

6. Configure the application type by completing the fields as indicated below and click **Finish**.

![](/files/RmhJaSEspAtEvQEyYE98)

7. Download the metadata file. You'll need to upload this to Vectra when you configure Okta as the identity provider.

![](/files/tI3UtHPuHto4IWxXbtWN)

### Vectra post-configuration <a href="#vectra-post-configuration" id="vectra-post-configuration"></a>

1. Return to the Vectra portal, and upload the metadata file to Vectra in the Metadata section in the **Provider** screen in the **SAML Single Sign-On Settings page**

![](/files/nTWgAm5u6L3xpF43lRKF)

2. Click Next
3. Now configure the **User attribute mappers** to match the mapper values configured in Auth0 above:

![](/files/tJdM41rH45cuSL7eyFAb)

4. Click Next.
5. Next configure the Default user role and role mappers:
   1. Default user role: This is the role an IDM-authenticated user will default to if the role mappings are not found in the SAML exchange. For security purposes, we recommend setting this value to "readonly", but you may want to set this to "admin" as you are testing your configuration.
   2. Admin role mappers: Configure these according to the screenshot below:

![](/files/7Bh8XFqOtzV8Bz3Yzihw)

6. Click the **Save** button.

Done! Now your users can log in directly via your identity provider using a new account-specific login URL. The new SSO Login URL can now be found under the **Essentials** settings in the **SAML Single Sign-On Settings** page.

![](/files/ysjZ0jlTbOw8GdQe92gR)

{% hint style="warning" %}
**🚧The default login will still work for your account administrator, which is not bound to your IDM.**
{% endhint %}

{% hint style="danger" %}
**❗️Note: The corresponding internal account in the Vectra Portal needs to be deleted first, as configuring the Okta SSO setup will show an error box will appear when a user logs in Okta if they already had an internal portal account with the same name.**
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.fusion.vectra.ai/settings/user-management/index-2/configuring-sso-with-okta.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.