Configuring Single Sign-On (SSO) using SAML 2.0 for Okta

ManageEngine PAM360 offers support for SAML 2.0, which facilitates integration with Federated Identity Management Solutions for Single Sign-On. PAM360 acts as the Service Provider (SP) and it integrates with Identity Providers (IdP) using SAML 2.0. The integration basically involves supplying details about SP to IdP and vice-versa. ​Once you integrate PAM360 with an IdP, the users have to just login to IdP and then, they can automatically login to PAM360 from the respective identity provider's GUI without having to provide credentials again. ​PAM360 supports out-of-the-box integration with Okta.

Note: PAM360 allows users to configure SAML SSO for Secondary server as a service provider, which allows users to log in to PAM360 using the Secondary server when Primary is down.

Integrating PAM360 with Okta involves the following four steps:

1. Adding PAM360 as an Application on the Okta Dashboard

  1. Log in to your Okta Admin account and click Applications tab.

  2. In the new page that opens up,
    1. Click Add Application.

    2. Click on Create New App.

    3. Immediately, a window will pop-up asking information about the type of application integration. Choose SAML 2.0 and click Create.

    4. Enter the name of the app being added (ME PAM360) as prompted under General Settings. You can also optionally choose to upload a logo for the app. When you are done, click on Next.

  3. The second step in configuring SAML integration consists of providing details about the Service Provider (ME PAM360) to Okta.
    1. To access these details, go to PAM360 Homepage and select ​Admin >> Authentication >> SAML Single Sign On.
    2. Under 1. Service Provider Details, you will find Entity Id, Assertion Consumer URL and Single Sign On URL; copy the values.

      Note: For SAML SSO authentication, the Assertion Consumer URL is the hostname of the server, by default. To update the Assertion URL, follow the below steps:

      1. Go to Admin >> Settings >> Mail Server Settings.
      2. Under Access URL, update the required URL and click Save.

      Now, the Assertion Consumer URL under Service Provider Details will be updated.

  4. Go back to Okta's SAML Settings page.
  5. For MSP, enter Assertion Consumer URL from PAM360 under Single sign on URL and select the checkbox Use this for Recipient URL and Destination URL.

  6. For Client Organizations, enter Single Sign On URL from PAM360 under Single sign on URL.
    1. Deselect the checkbox Use this for Recipient URL and Destination URL and mention the Assertion Consumer URL from PAM360 under Recipient URL and Destination URL.

  7. Mention the Entity Id from PAM360 under Audience URI (SP Entity ID).
  8. After filling-in the Single Sign On URL and SP Entity ID (Audience URI) fields, you need to specify how you want Okta to recognize the names of your users in PAM360. Since the way in which the usernames are displayed in Okta is different from how they are depicted in PAM360, you have to specify the format. There are two scenarios here:
    1. Scenario 1: If you have imported users from AD into PAM360, they would have been imported in the format Domain\Username. For more help on integrating Okta with your on-premise AD, please check the help documentation of Okta available here. In Okta GUI, you need to choose the option Custom from the drop-down Name ID format. Then, you should specify the custom format as given below:
    2. ${f:toUpperCase(f:substringBefore(f:substringAfter(user.login, "@"), "."))}${"\\"}${f:substringBefore(user.login, "@")}

    3. Scenario 2: If you have not used AD integration in PAM360, you should select the option Okta Username Prefix. This is because in Okta, user profiling is done in the format But, in PAM360, user names are depicted only as usernames.
    4. ​​This step is crucial because, only if you specify the correct Name ID format in Okta, you will be able to assign the application (PAM360) to other users in Okta.

  9. To configure SAML Single Logout, click Show Advanced Settings.
    1. Select Allow application to initiate Single Logout checkbox to Enable Single Logout.
    2. Mention the Single Logout Service URL from PAM360 under Single Logout URL.
    3. Enter the Entity Id from PAM360 under SP issuer.
    4. Click Browse to upload the PAM360 certificate under Signature Certificate.


    1. SAML Single Logout is applicable from PAM360 build 5304 and above only.
    2. To download PAM360 certificate, navigate to Admin >> Authentication >> SAML Single Sign-On (Step 1) and Download SP Certificate File.

  10. Once you have filled in the required details as mentioned above, click Finish to add the application. On addition, the application details will be displayed as shown in the image below. Click on Sign On and then select View Setup instructions. A new tab will open ​containing the details required to configure SAML 2.0 in PAM360, which is discussed in the next step.

2. Configuring Okta Details in PAM360

You need to configure IdP details in PAM360. This is done as part of the second step, Configure Identity Provider Details in PAM360's SAML Single Sign On page. Here, you have the option either to enter the details manually or auto-fill the same by supplying the metadata file from the IdP.

    1. Manual Set-up: If ​you choose to fill the details manually, get the IdP details such as Issuer ID, Login URL, and Logout URL from the Setup Instructions page of Okta. Configure the same in the step 2 given in PAM360 SAML Sign On configuration page. Enter the details in the corresponding fields and also download the Okta certificate and upload onto the PAM360 client (Listed as the 3rd step in the PAM360 GUI). Alternatively, you can also save the certificate file in the PAM360 File Store or Key Store and then use it here.

    2. Auto-Filling with IdP Metadata File: Scroll down on the SAML 2.0 setup instructions page of Okta and you will find the IdP metadata under Optional. Copy the text and ​save in a file with .xml extension. Now, upload the same .xml file onto the PAM360 client. ​In this case, you needn't import IdP certificate in PAM360. It will be updated automatically.

3. Assigning PAM360 Application to Users in Okta

After completing the configurations in PAM360, go back to Okta to assign the newly added application to your users. Navigate to Applications >> Assign Applications and select the PAM360 app. Under People, select the desired users and confirm assignments.

4. Enabling SAML Sign-On in PAM360

The final step of this configuration ​is enabling SAML Single Sign On in PAM360. This would be shown as the 4th step in the SAML page in PAM360 GUI. Click Enable Now shown at the bottom right to ​begin using this feature.

    ​​Note: In case Active Directory authentication is enabled for PAM360 login, SAML SSO cannot be enabled. To disable AD authentication, go to Admin >> Active Directory.