# Signing in with Okta
{% hint style="success" %}
This document details configuring Okta SAML for authentication with Dropzone. This is more advanced than using federated buttons such as "Log in with Google" and "Log in with Microsoft" but offers more customization, especially useful for customers with more than one Dropzone environment.
{% endhint %}
Enabling SAML with Okta involves the following steps:
* Adding Dropzone Role Attribute to User Profile
* Assigning Dropzone Role Attributes to users
* Creating the SAML application in Okta
* Assigning Users to the Dropzone Application
* Providing your SAML IDP details to your Dropzone support representative
* Updating your SAML application with details from your Dropzone support representative
{% hint style="info" %}
There are multiple ways you can configure Okta successfully with Dropzone AI; we show the simplest version here. However you are welcome to use whatever works best. Perhaps you wish to set the `user.dropzone_role` via the Application profile, or via [Okta Expression Language](https://developer.okta.com/docs/reference/okta-expression-language/) with custom logic. See [Advanced Okta](#advanced) for possibilities.
As long as the values come down where we expect them, in the correct form, the "how" is up to you.
{% endhint %}
## Create the Dropzone Role on User Profile
Dropzone needs to know which role a user should receive when logging into your tenant. There are multiple ways you can configure this, but the most common is to add a field to the user profile or to the Okta application profile.
Here we show you how to add the field to the user Okta profile.
{% hint style="info" %}
If you store the role somewhere other than the Okta profile then you will need to adjust the SAML attribute value `user.dropzone_role` to match.
{% endhint %}
* Go do Directory > Profile Editor
* Select the "User (default)" profile
* Click the "Add Attribute" button
* Set the values as follows
* Data type: string
* Display name: `dropzone_role`
* Variable name: `dropzone_role`
* Description: Dropzone AI Access Level
* Select the Enum "Define enumerated list of values" checkbox
{% hint style="info" %}
You may choose a different "Variable Name", but later in this document when you specify SAML attributes you'll need to adjust from `user.dropzone_role` to the name you used here.
{% endhint %}
* In the "Attribute Members" section, create the following new values:
| Display Name | Value |
| -------------------- | ---------------------- |
| admin | `admin` |
| member | `member` |
| restricted-read-only | `restricted-read-only` |
Create the Attribute
{% hint style="info" %}
Be sure the "Values" of the attributes match **exactly** `admin`, `member`, and `restricted-read-only`. The "Display Name" may be something more descriptive if you wish.
{% endhint %}
* Click Save
## Assign Dropzone Role Attributes to Users
Next, set the `dropzone_role` profile value for users who will have access to the Dropzone AI platform.
* Go to Directory > People
* Select a person
* Select "Profile"
* Click Edit
Edit the user's User Profile
* Scroll to the bottom of the screen and find `dropzone_role` and select the access level for this user
Set the user's `dropzone_role` value
* Click Save
* Repeat for all users who should have Dropzone access
## Create the Okta Application
* Go to Applications > Applications
* Click Create App Integration
* Select SAML 2.0
* In General Settings, set
* App name: Dropzone AI
* App Logo: provide one of your own, or use one of these Dropzone icons:
* [transparent](https://go.dropzone.ai/img/logos/logomark-transparent-color.png)
* [white background](https://go.dropzone.ai/img/logos/logomark-blue-on-white.png)
* [black background](https://go.dropzone.ai/img/logos/logomark-blue-on-black.png)
* Click "Do not display application icon to users"
{% hint style="warning" %}
Be sure you do not enable an Okta tile (application icon) for this Application. Dropzone AI does not support IDP-initiated login flows, so the tile will not function properly.
However you can make an Okta "Bookmark Application" that will enable single-click logins to your Dropzone tenant - see [Direct Login Links](/dropzone-101/getting-started/accessing-tenants/direct-login-links.md#okta-bookmark-app) for details.
{% endhint %}
* Click Next
* Enter values in the "SAML Settings" section of the "Create SAML Integration" page
* Single sign-on URL:
* If you have received a "Dropzone SAML ACS Url" from Dropzone, paste it here
* Likely it is
* Audience URI:
* If you have received a "Dropzone SAML Entity ID" from Dropzone, paste it here
* If not, put a placeholder of
* Default RelayState: leave blank
* Name ID format: EmailAddress
* Application Username: Email
* If you wish to use a different field such as Okta Username, or if you have a custom value for this, select it instead
* Leave all values in "advanced" as-is
Application SAML Settings
* Enter values in the "Attribute Statements" section of the "Create SAML Integration" page
* You must create attributes for `first_name`, `last_name`, and `dropzone_role`
* If you've applied the role to the user's profile then these values will be as follows
| Name | Value |
| --------------- | -------------------- |
| `first_name` | `user.firstName` |
| `last_name` | `user.lastName` |
| `full_name` | `user.fullName` |
| `dropzone_role` | `user.dropzone_role` |
SAML Attribute Statements
{% hint style="info" %}
If you chose a different "Variable Name" on the user profile, or are using a different field entirely, update `user.dropzone_role` to match.
{% endhint %}
* Click Next
* On the next page, click "This is an internal app we have created"
* Click Finish
## Assign Users to the Dropzone Application
Configure which users are allowed to log into Dropzone.
* Go to the newly created application in Okta
* Click on the "Assignments" tab at the top
* Click "Assign" and then the "Assign to People" or "Assign to Groups" button as appropriate
* Repeat until you've added all the people/groups who should have access
## Gather Application Data for Dropzone
Dropzone needs two pieces of information from your Okta environment to enable the SAML trust.
* Go to the newly created application in Okta
* Click on the "Sign On" tab at the top
* Click on the "View SAML setup instructions" on the right
Find the following two pieces of information:
* Identity provider Single Sign-On URL
* This is a url, typically on an .okta.com domain
* X.509 Certificate
* This is a multi-line string, starting with `-----BEGIN CERTIFICATE-----` and ending with `-----END CERTIFICATE-----`
Copy IDP details
Provide these to your Dropzone support representative. (Typically this is done via the Dropzone SAML Request form.)
### Update Your SAML Application
Dropzone will enable SAML and provide you two values to add to the "SAML Settings" in the "General" tab of your SAML app:
* ACS URL - paste this into "Single Sign-On URL" field
* Entity ID - paste this into the "Audience URI (SP Entity ID)" field
Update these values in your Okta Application and save.
### Set Legacy Configuration on your app
In addtition to setting the roles as custom profile attributes, on the app itself: Navigate to Sign On > Show Legacy Configuration > Profile attribute statements Set dropzone\_role equal to appuser.dropzone\_role
Legacy Configuraton
## Advanced Okta
Okta has powerful configuration capabilities, including [Okta Expression Language](https://developer.okta.com/docs/reference/okta-expression-language/) which can be used to simplify your Dropzone role provisioning, as an alternative to manually setting roles on a user's profile directl.
{% hint style="warning" %}
This section is here as a reference, not a requirement. Use whatever method you're most comfortable with that balances your administration duties and meets your security standards.
{% endhint %}
### Advanced Okta - Drozone Role via Group Membership
Some customers use Okta Groups coupled with Okta Expression language to populate the `dropzone_role` attribute automatically. As an example, say you had the following groups:
* access-dropzone-admin
* access-member
* access-read-only
You could use the following
```
user.isMemberOfGroupName("access-dropzone-admin") ? "admin" :
user.isMemberOfGroupName("access-dropzone-member") ? "member" :
user.isMemberOfGroupName("access-dropzone-read-only") ? "restricted-read-only" :
null
```
The values (e.g. `admin`, `member`, `restricted-read-only` on the right side above) must match exactly the values we expect, however the groups can be anything that matches your internal naming standands.
## Getting Help
If you have any errors or questions, engage your Dropzone AI support representative.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.dropzone.ai/dropzone-101/getting-started/accessing-tenants/managing-users/okta-saml.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.