In order to configure user initiated mirror gateway flow do the following:

Steps:

1.1 Create a custom SAML application to be able to download the metadata file:

• Log in to your OKTA tenant 
  Add Application
  Select Custom SAML 2.0 application: 

Create a new SAML 2.0 APP

Select an APP name (this information will only be used internally)
Select Do not display application to the end user ( this information will only be used internally) 

Click Next

The values in the SSO URL and the Audience URI will be provided by the MIG team following configuration. For the meanwhile use : https://test.com as a place holder.

Add custom SAML attribute to the application :
IDPEmail  = user.email

Mapping attributes for Office (Optional for Google)

Mirror gateway supports additional custom saml attributes that can be used to affect the structure of the saml response:

• CASBUser - sets the user identifier used to access the CASB tenant, if missing the value of the NameID attribute is used. Should hold the user’s UPN
• MIGNameID - changes the existing NameID attribute of the saml response. Should hold the user’s ImmutableID, be sure to verify the attribute name that holds it after the AD sync.

Click next
Finish the survey and click Finish.

The application will be created and presented:

Right click the Identity Provider Metadata link, and download the metadata file. 

Please provide the file to complete the provisioning process. 

2. Okta Configuration

On the previous step, we left two place holders in the OKTA custom SAML application configuration. 
Edit the application and replace them with the following values: 

ACS URL: 

EntityID: