# Okta Pritunl Zero supports single sign-on with Okta and secondary authentication with Okta Verify. SAML attributes will be used to assign roles to the user. ### Okta Push Okta Push can be enabled for each VPN connection if it is available. If you are using Okta Push but do not want it used for VPN connections uncheck *Enable Okta Push* in the settings. This configuration option is stored in the database and will only need to be run on one host. The change will be immediately applied to all hosts and will not require restarting any hosts. ### Create Pritunl App on Okta In the *Applications* section of the admin interface click *Add Application*. Then click *Create New App* and select *SAML 2.0* ![](/files/fexorO9ymn9SmhV4D4kE) Next name the app `Pritunl` and download the Okta Pritunl logo [pritunl.com/img/pritunl\_okta.png](https://pritunl.com/img/pritunl_okta.png) and click *Upload Logo* then click *Next*. ![](/files/5YYuRyPZcgZFTt1auHkh) On the next page enter `https://auth.pritunl.com/v1/callback/saml` as the *Single sign on URL* and `pritunl` as the *Audience URI*. Set the *Default RelayState* to the address your users would use to access the Pritunl server such as `https://vpn.example.com`. Then add the two attributes `username` with a value of `user.login` and `email` with a value of `user.email`. Once done click *Next* then *Finish*. ![](/files/Ohm8gGduZ7rQVyMmk0Oz) ### Setting User Roles User roles can be set using the roles attribute. This attribute can be mapped to a value such as Department. Refer to the OneLogin documentation for setting the value of the roles attribute. More information on these values is available in the [**Okta Expression Language documentation**](https://developer.okta.com/docs/reference/okta-expression-language/). ![](/files/SHGSS3MjmzTB2C7855N9) ### Create API Token Pritunl will require an API token to validate if a user exists and is enabled before allowing a VPN connection. To create a token click *Security* then *API* and *Create Token*. Name the token `Pritunl` and save the token for later. ![](/files/8bGetzShxkzZZn2fJVyg) ### Add Users to Pritunl App After the Okta app has been created you will need to add users to the Pritunl app before they are able to use it. This can be done in the *People* tab on the Pritunl app settings on Okta. ### Okta App ID Next get the Okta app ID from the url in the Okta application settings. The ID is the last component of the URL. For example the ID for this url `https://pritunl-dev-admin.okta.com/admin/app/pritunlorg473326_pritunl_1/instance/0oarolrfv30ouSTcm2p6/#tab-signon` is `0oarolrfv30ouSTcm2p6`. This ID will be needed in the next step. ### Configure Pritunl Zero Once the Okta app has been configured click on the app then click *Sign On* and *View Setup Instructions*. In the Pritunl Zero settings tab select *Okta* and click *Add Provider*. Add any default roles that will apply to all users who authenticate with Okta. Copy the *Issuer URL*, *SAML 2.0 Endpoint (HTTP)* and *X.509 Certificate* from the Okta web console. For Okta Push authentication add the Okta secondary provider on the right side. Set the Okta domain to the company Okta login domain. Then set the Okta API token. Write access on the token is required for push authentication. A policy will need to be created to apply the secondary authentication requirement to users. Use the API token from earlier to fill in *OneLogin API Client ID* and *OneLogin API Client Secret*. ![](/files/Gs2Fu5zCgNES0oGs85WR) ![](/files/iBkBB5rhC4ByRReF4oB6) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.pritunl.com/kb/zero/single-sign-on/okta.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.