Showing results for 
Show  only  | Search instead for 
Did you mean: 

Configure SAML based single sign on with IIQ using Okta

Configure SAML based single sign on with IIQ using Okta

We have two set of configuration to be done,


1. Configure application on Okta with SAML assertion

2. Configure SAML based SSO authentication in IIQ


Complete the below steps in Okta.


This document will not cover step by step navigation to add new application within Okta, but with configuration setting for IIQ application.



Attribute Statements will list the assertion attributes within IIQ. In this case, User Name attribute will be the assertion attribute within IdentityIQ.


Complete the below steps in IIQ


1. Login to IIQ -> System Setup -> Login Configuration -> SSO Configuration


2. Check Enable SAML Based Single Sign-On (SSO)


3. Complete the details as shown, below information can be filled with ease using metadata/ config xml obtained from Okta.


SAML URL (Assertion Consumer Service) will be IIQ dashboard url


4. SAML correlation rule should return either link or identity object information


import sailpoint.object.Identity;

Identity ident;

String UserName = (String)assertionAttributes.get("User Name");

ident = context.getObjectByName(Identity.class, UserName);

return ident;


5. Save the configuration.

6. The SAML settings are stored within IIQ as Configuration object.

7. This completes configuration at IIQ.


Note: Once SAML is enabled, logout on UI (Web UI or Mobile UI) will be disabled. If you need application specific logout for IIQ, you need to have customization on extApppage.xhtml, appPage.xhtml and uiPage.xhtml and have bean class to support logout function.

Labels (1)

Does anyone have an updated correlation rule for 8.x environment?

I am getting this error when trying in 8.x version:

2021-04-21T15:47:29,722 DEBUG tomcat-http--48 sailpoint.web.sso.SAMLSSOAuthenticator:585 - SAML Correlation result: null
2021-04-21T15:47:29,722  WARN tomcat-http--48 sailpoint.web.sso.SAMLSSOAuthenticator:280 - Unable to correlate SAML Assertion to Identity via SAMLCorrelationRule


The SAML Consumer Service URL will be different between IIQ versions.


SAML URL (Assertion Consumer Service) — The URL of the SSO service on the SP(IIQ).

  1. I.  In versions prior to IIQ7.0, path is:

  2. II.  In version IIQ7.0 and later, path is:


Version history
Revision #:
4 of 4
Last update:
‎Sep 21, 2023 03:40 PM
Updated by: