Setup Okta IdP Initiated Flow for On-Prem¶
This guide explains how to configure Okta Identity Provider (IdP) initiated SSO flow for the Traceable Platform.
Overview¶
IdP-initiated flow allows users to login to Traceable directly from the Okta dashboard by clicking on the application tile, without first visiting the Traceable login page.
After completing this setup, users can use both:
- SP-initiated flow: Login from Traceable UI → Redirect to Okta
- IdP-initiated flow: Login from Okta dashboard → Redirect to Traceable
Prerequisites¶
- SAML SP-initiated flow already configured (see SAML Setup)
- Access to Keycloak admin console
- Access to Okta admin console
Authentication Flow¶
┌─────────┐ ┌─────────┐ ┌───────────┐ ┌────────────┐
│ User │────▶│ Okta │────▶│ Keycloak │────▶│ Traceable │
│ │ │ (IdP) │ │ (SP) │ │ Platform │
└─────────┘ └─────────┘ └───────────┘ └────────────┘
│ │ │ │
│ Click App │ │ │
│──────────────▶│ │ │
│ │ SAML Response │ │
│ │───────────────▶│ │
│ │ │ Authenticated │
│ │ │─────────────────▶│
│ │ │ │
│◀─────────────────────────────────────────────────│
│ Platform Access │
Keycloak Configuration¶
Step 1: Create SAML Client¶
- Login to Keycloak:
https://<platform-dns>/auth - Select Traceable realm
- Navigate to Clients → Create client
- Configure:
- Client type: SAML
- Client ID:
traceableidp(or any name)
Step 2: Configure Client Settings¶
- Set IDP-Initiated SSO URL name to the same value as Client ID (e.g.,
traceableidp) - Save the configuration
Client Endpoint URL:
Save this URL - it will be used in Okta configuration.
Step 3: Configure Advanced Settings¶
- Navigate to the Advanced tab of the client
- Set the Assertion Consumer Service POST Binding URL to the platform URL:
- Save the configuration
Okta Configuration¶
Step 1: Edit Existing SAML Application¶
Open your existing Traceable SAML application in Okta admin console.
Step 2: Update Single Sign-On URL¶
Set Single Sign On URL to the client endpoint URL from Keycloak:
Step 3: Verify SP Entity ID¶
Ensure SP Entity ID (Audience URI) is set to:
Step 4: Configure Advanced Settings¶
In SAML settings, navigate to Advanced Settings and add the original SSO URL as an additional requestable SSO URL:
| Index | URL |
|---|---|
| 0 | https://<platform-dns>/auth/realms/traceable/broker/saml/endpoint |
This preserves the SP-initiated flow functionality.
Step 5: Save Configuration¶
Save all changes to the Okta application.
Complete SAML Settings Example¶
Single Sign On URL:
https://traceable.example.com/auth/realms/traceable/broker/saml/endpoint/clients/traceableidp
SP Entity ID (Audience URI):
https://traceable.example.com/auth/realms/traceable
Other Requestable SSO URLs:
Index 0: https://traceable.example.com/auth/realms/traceable/broker/saml/endpoint
Verification¶
Test IdP-Initiated Flow¶
- Login to Okta
- Click on the Traceable application tile
- You should be redirected to Traceable and automatically logged in
Test SP-Initiated Flow¶
- Navigate to Traceable login page
- Click Sign in with SAML
- You should be redirected to Okta, then back to Traceable
Both flows should work after configuration.
Troubleshooting¶
IdP Flow Returns Error¶
Symptoms: Error page after clicking Okta tile.
Solutions:
- Verify Client ID matches IDP-Initiated SSO URL name in Keycloak
- Check Single Sign On URL in Okta matches Keycloak client endpoint
- Verify SP Entity ID is correct
- Check Keycloak logs for errors:
SP Flow Broken After IdP Setup¶
Symptoms: SP-initiated flow no longer works.
Solutions:
- Verify the original SSO URL is added as "Other Requestable SSO URL" with index 0
- Check that both URLs are correctly configured in Okta
User Not Found Error¶
Symptoms: Authentication succeeds but user not found in Traceable.
Solutions:
- Verify SAML attribute mappers are configured in Keycloak
- Check MongoDB tenant configuration has correct connection IDs
- Review IAM logs for detailed errors
Redirect Loop¶
Symptoms: Browser stuck in redirect loop.
Solutions:
- Clear browser cookies
- Verify redirect URLs match exactly (including trailing slashes)
- Check for protocol mismatches (http vs https)
Security Considerations¶
- HTTPS Only: Always use HTTPS for all URLs
- Signed Assertions: Enable assertion signing in Okta
- Audience Restriction: Verify audience URI is correctly set
- Session Timeout: Configure appropriate session timeouts in both Okta and Keycloak
Related Documentation¶
- SAML Setup - SP-initiated SAML configuration
- Password Reset - Alternative authentication
Support¶
For IdP configuration assistance, contact: support@harness.io
Provide the following information:
- Okta application configuration (screenshots with sensitive data redacted)
- Keycloak client configuration
- Error messages
- Browser network trace (HAR file)