Okta configuration for DESK SSO

Follow the examples below to configure DESK SSO using Okta as the SAML identity provider (IdP). You can use Okta's pre-built configuration or configure it manually.

Okta Network Integration configuration
Okta manual configuration

Important: Use this IdP-specific help as part of the entire SAML configuration procedure for DESK SaaS.

Okta Network Integration configuration

Through the Okta Integration Network, you can use an Okta-verified, pre-built configuration to integrate DESK with your Okta IdP for SSO.

In the Okta interface, select Application from the main menu and click Add Application.

'Add Application' example screen

Search for DESK and select Add.

'Add' example screen

Click Next.

'Next' example screen

In Sign On Methods, select SAML 2.0.

'Sign On Methods' example screen

Optional: Set Default Relay State to your default tenant URL or to other DESK services from the *.desk.com realm. If this is not defined, users after signing in will be redirected to the last accessed tenant or account/user profile.

Optional: Set role as a Security group claim attribute. If configured, Okta will send assigned groups within the SAML Request.

To manage group membership in Okta with SAML Authorization in DESK, this must be configured.

Setting 'role' example screen

For more about SAML metadata configuration, see Configure metadata.
You can configure Security Group Claim attribute filtering using Okta's proprietary expression language. For example, set role to Matches regex and enter .* as the value to have all groups assigned to the user sent with the SAML request.

Optional: Select Enable Single Logout and upload a certificate (Browse and Upload) to enable global single logout. The certificate is provided in Okta's DESK configuration. You need to be signed into the Okta Admin Dashboard.

'Enable Single Logout' example screen

Okta manual configuration

Use this procedure if you choose to manually integrate DESK with your Okta IdP (rather than using an Okta Network Integration configuration as described above).

In General settings, follow this example.

'General' - example screen

'General' - example values

Values in the example screen are:

Single sign on URL	`https://sso.desk.com:443/saml2/sp/consumer` Use this for Recipient URL and Destination URL is `selected`. Allow this app to request other SSO URLs is `not selected`.
Audience URI (SP Entity ID)	`https://sso.desk.com:443/saml2/login`
Name ID format	`EmailAddress`
Application username	`Email`
Update application username on	`Create and update`

Select Show Advanced Settings for additional configuration settings as shown in the example.

'Advanced settings' - example screen

'Advanced settings' - example values

Values in the example screen include:

Response	`Signed` (required)
Assertion Signature	`Signed` (optional)
Signature Algorithm	`RSA-SHA256`
Digest Algorithm	`SHA256`
Assertion Encryption	`Unencrypted` (required)
Enable Single Logout and Single Logout URL	If you want to enable single logout service with DESK SSO: Select Enable Single Logout Enter a Single Logout URL: `https://sso.desk.com:443/saml2/sp/logout`
SP Issuer	`https://sso.desk.com:443/saml2/login`
Signature Certificate	The certificate file required by Okta for SSO application configuration can be converted from an X509Certificate using, for instance, this online tool. The result should be just a X509Certificate wrapped with a header. You can find the DESK SSO metadata for the certificate file at: `https://sso.desk.com/sso/metadata`

Configure attribute statements to enable SAML authorization in DESK SSO.

In the Attribute Statements section, add entries for first name and last name.
In the Group Attribute Statements section, add an entry to enable mapping of groups between the Okta IdP and DESK SSO.

Values displayed here are only examples.

Okta: Attribute Statements and Group Attribute Statements - example screen

Attribute names need to match the DESK federated attribute values on the DESK Single sign-on page:

First name attribute
Last name attribute
Security group claim attribute

You can configure Group Attribute Statements filtering using Okta's proprietary expression language. For example, .* means that all groups assigned to the user will be sent with the SAML request.