Okta SAML SSO Configuration

This page explains how to set up SSO in HashiCorp Cloud Platform (HCP) with the Okta identity provider. Refer to SSO Overview for details about how to manage organizations with SSO enabled.

Configure SSO

Organization owners and admins can set up SSO. To begin configuring SSO:

1. Log in to HCP and go to your organization.
2. Click Settings and then click SSO. The Single Sign-On page appears.
3. Click Configure SSO for your Organization. The Setup SAML SSO page appears, where you will enter the required information for Okta.
4. Assign a default organization role.

Verify Your Domain

You need a DNS record (secret value to set as TXT) to prove ownership of a domain. HCP uses the domain to match the email addresses for SSO. You must use different SSO domains for each HCP organization. If you try to reuse a domain name, the DNS connection request will fail.

To verify your domain:

1. Copy the verification TXT record from the HCP SSO configuration to the DNS records of any email domains your organization uses.
2. Return to the HCP Settings page and add your email address domains.
3. Click Verify domains.

If the verification is successful, you can continue configuring SSO. If the request fails, your changes to the DNS records may not have propagated yet. It can take up to 72 hours.

Initiate SAML Integration

Copy the SSO Sign-on URL and the SAML Entity ID from the HCP Setup SAML SSO page and paste them into Okta.

HCP also requires the email address of all users. HCP provides an Email Attribute Assertion Name that you may copy and paste into Okta as an Attribute Statement.

Within Okta, you must enter the Email Attribute Assertion Name that HCP provides into the Name field with the Value being user.email.

Finalize SSO Settings

To finalize SSO settings:

1. In Okta, go to View Setup Instructions.
2. Paste the Okta SSO Sign-On URL and the Okta Certificate into the HCP Setup SAML SSO page.
3. Assign a default organization role.

Now, users can sign in to your organization through Okta.