Okta
This topic describes how to configure single sign-on (SSO) with Okta using the SAML 2.0 protocol.
Before you start
Before you begin the SSO configuration, make sure the following conditions are met:
-
You are the Organization Owner of the organization where SSO is to be configured.
-
You have Admin access to the Okta console. For more information, refer to Okta official documentation.
Configuration steps
Step 1: Create a SAML app in Okta console
-
Log in to the Okta Admin console.
-
In the left-side navigation pane, choose Applications > Applications.
-
Click Create App Integration.
-
In the Create a new app integration dialog box, select SAML 2.0 and click Next.
-
For simplicity, set App name to zilliz, then click Next.
-
In the General area of the Configure SAML step, configure the fields below:
-
Single Sign On URL:
-
Enter a temporary placeholder URL, such as
http://www.okta.com. You will replace this with the actual URL from the Zilliz Cloud console later in Step 2. -
Be sure to check the box labeled "Use this for Recipient URL and Destination URL" to ensure correct routing during SAML requests.
-
-
Audience URI (SP Entity ID): Set the value to zilliz.
-
-
In the Attribute Statements (optional) area, specify:
-
Name: Set the value to email.
-
Value: Select user.email from the drop-down list.
-
-
Click Next, then click Finish. You will be redirected to the app page.
-
On the Sign On tab of the app page, click More details to get the following app details:
Then, proceed to Step 2 to continue SSO settings in Zilliz Cloud console.
Step 2: Configure Okta settings in Zilliz Cloud console
-
Log in to the Zilliz Cloud console and go to the organization for which you want to configure SSO.
-
In the left-side navigation pane, choose Settings.
-
On the Settings page, find the Single Sign-On (SSO) section and click Configure.
-
In the Single Sign-On (SSO) dialog box, select SAML 2.0, then configure the settings below:
-
Single Sign-On URL: Paste the Sign on URL value copied from Okta console in Step 1. This URL receives the SAML authentication requests from Okta.
-
Entity ID: Set the value to zilliz.
-
Certificate: Open the certificate file downloaded in Step 1 on your computer. Copy the entire certificate content, including the lines beginning with
-----BEGIN CERTIFICATE-----and ending with-----END CERTIFICATE-----, and paste it into the field provided.
-
-
Click Save.
-
In the dialog box that appears, copy the redirect URL. It will be required in Okta console in Step 3. You will also see a Zilliz Cloud login URL, which will be used for SSO login once all setup settings are complete.
Step 3: Update SSO URL in Okta console
After saving the Okta app details in Zilliz Cloud, you are provided with a redirect URL:
-
Return to the Okta console and navigate to the SAML app you created.
-
Update the SAML settings by replacing the placeholder Single Sign On URL (set in Step 1) with the redirect URL you copied from Zilliz Cloud.
-
Save the changes.
Post-configuration tasks
Task 1: Assign SAML app to users (Okta console)
Before users can access Zilliz Cloud through SSO, you need to assign the Okta application to them:
-
In the Okta Admin console, click Assignments.
-
Choose Assign > Assign to People.
-
Assign the SAML app to the user and save the changes.
-
Click Save and Go Back.
Repeat for all users as needed. See Okta documentation for more.
Task 2: Log in with SSO URL (end users)
Users that have been assigned the SAML app can access Zilliz Cloud console using the SSO login URL provided by Zilliz Cloud:
-
Open a new browser window and navigate to the Zilliz Cloud SSO login URL provided earlier.
-
You should be redirected to the Okta login page.
-
Log in using the credentials of a user who has been assigned the SAML app in Okta.
-
If SSO is configured correctly, you will be redirected to the Zilliz Cloud console after successful authentication.
If you encounter any issues during the setup or testing process, contact Zilliz support.
FAQ
What role is assigned to users who log in via SSO for the first time?
New users who do not already have a Zilliz Cloud account will be automatically created upon their first SSO login. These users are assigned the Organization Member role by default. You can modify their roles later in the Zilliz Cloud console.
How do users access projects after SSO login?
After logging in via SSO, users will have Organization Member role by default. To access specific projects, an Organization Owner or Project Admin must invite them to projects. For detailed steps, see Manage Project Users.
What happens if a user already has a Zilliz Cloud account before logging in with SSO?
If the user already exists in your Zilliz Cloud organization (based on their email), they will retain their original role and permissions when logging in via SSO. The system matches users by email address and does not overwrite existing accounts.
I'm having issues with SSO configuration or users can't log in. What should I check?
If you encounter configuration errors or login issues, verify the following:
-
Certificate format: Ensure the certificate includes complete BEGIN and END lines:
-----BEGIN CERTIFICATE-----
(certificate body)
-----END CERTIFICATE----- -
Single Sign-On URL: Verify the Sign on URL from Okta is correctly pasted.
-
Entity ID: Confirm it's set to
zillizin both Okta and Zilliz Cloud. -
Attribute Statements: Ensure email mapping is configured (
Name = email,Value = user.email). -
User Assignment: The user is assigned the SAML app in Okta.
-
Email Matching: The email in Okta matches the email in Zilliz Cloud.
Can I configure multiple SSO providers for the same organization?
Currently, each Zilliz Cloud organization supports only one active SAML SSO configuration at a time.