Paxata Support can assist you with setting SAML 2.0 authentication for your Paxata.com Tenant. In this article, you will learn:

1. Example steps to create SAML 2.0 application in Okta.
2. What Paxata Support needs in order to setup SAML 2.0 authentication for your Paxata.com Tenant.

Example steps to create SAML 2.0 application in Okta

1. Define alias. It can be any value. For example: tenantOrange. No action required at this point.
2. Define SP Entity Id. It can be any value in URI format. For example, urn:orange:tenantOrange:sso:paxata.com. No action needed at this point.
3. Login to Okta as admin. Create your SAML application from Okta by clicking the "Create New App": 
4. Choose SAML 2.0 in the Popup and click Create.
5. In General Settings, put your SAML application name, such as "Paxata" and Click Next.
6. In Okta SAML Settings step, set the following values: 
   1. Single Sign On URL (aka. Assertion Consumer Service) -- core server hostname URL + "/sso/saml/SSO/alias/" + alias. For example, https://orange.paxata.com/sso/saml/SSO/alias/tenantOrange  
   2. Check "Use this for Recipient URL and Destination URL" checkbox. So the SSO URL, Recipient URL and Destination URL are identical.
   3. Audience Restriction (SP Entity Id). For example, urn:orange:tenantOrange:sso:paxata.com
   4. Name ID Format: EmailAddress
   5. Application Username: Okta username 
   6. Add two Attribute Statements: 1. Name: email; Value: ${user.email}; 2. Name: displayName; Value: ${user.firstName}
   7. Add Group Attribute Statement: Name = ds_groups; Value Filter Contains "Paxata" (or whatever Okta groups are allowed to login to Paxata). 
   8. Click Next. Choose "I'm a software vendor. I'd like to integrate my app with Okta". Click Finish. SAML application is created.  
   9. Create Okta Groups and assign users to each groups. Paxata uses these groups to map to Paxata groups and roles, so that users can login to paxata.com with appropriate group and roles.   

What Paxata Support needs:

0. (Optional) REST token from your paxata.com user. After setup is completed, you can regenerate the token, which will automatically invalidates the old tokens. 
1. All values with underscore field names above, such as:

Alias
SP Entity Id
Single Sign On URL (aka. Assertion Consumer Service)
Audience Restriction (SP Entity Id)
Attribute Statements
Group Attribute Statements

2. Identity Provider Metadata. In Okta, you can download this file in Application's Sign On Tab.  
3. List of Okta groups of users who will be able to login to Paxata.com. For example:

Sample Paxata Okta Business Users Group
Sample Paxata Okta Admin Group

4. List of roles the Okta groups should be assigned to. For example:

"roleMapping" : [
    {
      "remoteName" : "Sample Paxata Okta Business Users Group",
      "paxataName" : "PowerUser"
    },
    {
      "remoteName" : "Sample Paxata Okta Business Users Group",
      "paxataName" : "Automation"
    },
    {
      "remoteName" : "Sample Paxata Okta Business Users Group",
      "paxataName" : "RemoteAccess"
   },
   {
      "remoteName" : "Sample Paxata Okta Admin Group",
      "paxataName" : "ResourceAdmin"
   },
   {
      "remoteName" : "Sample Paxata Okta Admin Group",
      "paxataName" : "Admin"
   },
    {
      "remoteName" : "Sample Paxata Okta Admin Group",
      "paxataName" : "Automation"
    },
    {
      "remoteName" : "Sample Paxata Okta Admin Group",
      "paxataName" : "RemoteAccess"
   }
  ]

4. List of Paxata local groups the Okta groups should be assigned to. For example:

"groupMapping" : [
    {
      "remoteName" : "Sample Paxata Okta Business Users Group",
      "paxataName" : "Pax-AllUsers"
    },
    {
      "remoteName" : "Sample Paxata Okta Admin Group",
      "paxataName" : "Pax-AllUsers"
    }],

Please provide the information above to Paxata Support. We will set up the SAML application for you. You will get notification email from us when the setup is completed.

Happy data prepping!