This article contains information on how to configure the logging in process with SAML in the case of Okta

General requirements and limitations

Logging into Xopero ONE using SAML-integrated identity providers should be initiated from the Xopero ONE panel.

Do not log in from the IdP panel (e.g. from the Okta panel) to the application defined for Xopero ONE.

Do not test the integration from the IdP panel (e.g., from the Azure panel), as this will initiate a login from the IdP panel

PKCS #12 file with X.509 certificate and private key (mostly .pfx file, can be password protected) for signing on XoperoONE side, must be included in IdP configuration in XoperoONE. X.509 certificate file (mostly a .crt file) for signature verification on the IdP side, must be included in the application configuration defined in the Okta panel.

Both files contain the same certificate, and the PKCS #12 file additionally contains the private key to this certificate.

If the PKCS #12 file is password-protected, add this password to the IdP configuration in the XoperoONE panel.


In the Admin dashboard (which is available in the right-top corner of the window) move to the Applications tab and select the Applications page.

Now hit the Create App Integration button and select SAML 2.0.

In the General Settings tab specify the application name and move to the Configure SAML tab.

At the Configure SAML tab configure the Single sign-on URL parameter as below:



XoperoONEManagementServiceURL - URL address to your Xopero ONE Management Service

At the Audience URI type your application name (configured in the General Settings tab).

Now, hit the Show advanced settings button and attach the certificate file to verify your signature by selecting it in the Signature Certificate tab. After that, you will be able to check the Allow application to initiate Single Logout checkbox in the Enable Single Logout field - this is necessary.

When the Allow application to initiate Single Logout checkbox will be checked, the application with open the two additional fields - fill them in as below:

Single Logout URL: https://XoperoONEManagementServiceURL/auth/SAMLLogoutResponse SP Issuer: MyOktaApp


XoperoONEManagementServiceURL - URL address to your XoperoONE Management Service MyOktaApp - Application name (configured in the General Settings tab).

Now, move to the Group Attribute Statements field and fill it as below:

  • Name: xoperogroup

  • Starts with: XONE

Now you can hit the Next button. In the next opened window, select the I'm an Okta customer adding an internal app and hit the Finish button.

Open the created application and move to the Sign On page.

At the SAML Signing Certificates field, select the certificate and hit the Actions button -> View IdP metadata. Copy the link of the opened page - it will be required in the Xopero ONE app.

Now, move to the Assignment tab.

Assign the application to the selected user or group. To do it, hit the Assign button and decide, that you want to assign any selected user or whole group. Next, hit the Assign button on the right side of the opened window.

Xopero ONE side

Log into the Xopero ONE Web panel, go to the Settings tab and open the External Identity Providers section. Click Add new provider button and fill in the details.

At first, Name, which is your own custom name - i.e. Okta, then Entity ID, so in this example, it is MyOktaApp - Application name.

Next, paste the link of IdP metadata into the Metadata URL field.

Add the required certificate and add a password to the Safe Password Manager.

More about adding a new password to the Safe Password Manager you can read in the following article:

pageAdd A New Password

Set up a default Language and Role for the users with proper permissions and it's done! You can now log out of your account and test the configuration with your configured integration.

More about the Roles in Xopero ONE you can see in the following article:

pageRoles and permissions

Last updated