Okta SAML

Enabling SAML with Okta involves the following steps:

  • Adding Dropzone Role Attribute to User Profile

  • Assigning Dropzone Role Attributes to users

  • Creating the SAML application in Okta

  • Assigning Users to the Dropzone Application

  • Providing your SAML IDP details to your Dropzone support representative

  • Updating your SAML application with details from your Dropzone support representative

There are multiple ways you can configure Okta successfully with Dropzone AI; we show the simplest version here. However you are welcome to use whatever works best. Perhaps you wish to set the user.dropzone_role via the Application profile, or via Okta Expression Language with custom logic.

As long as the values come down where we expect them, in the correct form, the "how" is up to you.

Create the Dropzone Role on User Profile

Dropzone needs to know which role a user should receive when logging into your tenant. There are multiple ways you can configure this, but the most common is to add a field to the user profile or to the Okta application profile.

Here we show you how to add the field to the user Okta profile.

If you store the role somewhere other than the Okta profile then you will need to adjust the SAML attribute value user.dropzone_role to match.

  • Go do Directory > Profile Editor

  • Select the "User (default)" profile

  • Click the "Add Attribute" button

  • Set the values as follows

    • Data type: string

    • Display name: dropzone_role

    • Variable name: dropzone_role

    • Description: Dropzone AI Access Level

    • Select the Enum "Define enumerated list of values" checkbox

You may choose a different "Variable Name", but later in this document when you specify SAML attributes you'll need to adjust from user.dropzone_role to the name you used here.

  • In the "Attribute Members" section, create the following new values:

Display Name
Value

admin

admin

member

member

restricted-read-only

restricted-read-only

Be sure the "Values" of the attributes match exactly admin, member, and restricted-read-only. The "Display Name" may be something more descriptive if you wish.

  • Click Save

Assign Dropzone Role Attributes to Users

Next, set the dropzone_role profile value for users who will have access to the Dropzone AI platform.

  • Go to Directory > People

  • Select a person

  • Select "Profile"

  • Click Edit

  • Scroll to the bottom of the screen and find dropzone_role and select the access level for this user

  • Click Save

  • Repeat for all users who should have Dropzone access

Create the Okta Application

  • Go to Applications > Applications

  • Click Create App Integration

  • Select SAML 2.0

  • In General Settings, set

  • Click Next

  • Enter values in the "SAML Settings" section of the "Create SAML Integration" page

    • Single sign-on URL:

      • If you have received a "Dropzone SAML ACL Url" from Dropzone, paste it here

        • Likely it is https://login.dropzone.ai/samlv2/acs

    • Audience URI:

      • If you have received a "Dropzone SAML Entity ID" from Dropzone, paste it here

        • If not, put a placeholder of https://login.dropzone.ai/samlv2/sp/00000000-0000-0000-0000-000000000000

    • Default RelayState: leave blank

    • Name ID format: EmailAddress

    • Application Username: Email

      • If you wish to use a different field such as Okta Username, or if you have a custom value for this, select it instead

    • Leave all values in "advanced" as-is

  • Enter values in the "Attribute Statements" section of the "Create SAML Integration" page

    • You must create attributes for first_name, last_name, and dropzone_role

    • If you've applied the role to the user's profile then these values will be as follows

Name
Value

first_name

user.firstName

last_name

user.lastName

dropzone_role

user.dropzone_role

If you chose a different "Variable Name" on the user profile, or are using a different field entirely, update user.dropzone_role to match.

  • Click Next

  • On the next page, click "This is an internal app we have created"

  • Click Finish

Assign Users to the Dropzone Application

Configure which users are allowed to log into Dropzone.

  • Go to the newly created application in Okta

  • Click on the "Assignments" tab at the top

  • Click "Assign" and then the "Assign to People" or "Assign to Groups" button as appropriate

  • Repeat until you've added all the people/groups who should have access

Gather Application Data for Dropzone

Dropzone needs two pieces of information from your Okta environment to enable the SAML trust.

  • Go to the newly created application in Okta

  • Click on the "Sign On" tab at the top

  • Click on the "View SAML setup instructions" on the right

Find the following two pieces of information:

  • Identity provider Single Sign-On URL

    • This is a url, typically on an .okta.com domain

  • X.509 Certificate

    • This is a multi-line string, starting with -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE-----

Provide these to your Dropzone support representative. (Typically this is done via the Dropzone SAML Request form.)

Update Your SAML Application

Dropzone will enable SAML and provide you two values to add to the "SAML Settings" in the "General" tab of your SAML app:

  • ACS URL - paste this into "Single Sign-On URL" field

  • Entity ID - paste this into the "Audience URI (SP Entity ID)" field

Update these values in your Okta Application and save.

Getting Help

If you have any errors or questions, engage your Dropzone AI support representative.

Last updated

Was this helpful?