App Control: How to Configure SAML Integration with Okta
search cancel

App Control: How to Configure SAML Integration with Okta


Article ID: 288857


Updated On:


Carbon Black App Control (formerly Cb Protection)


How to configure Okta SAML Integration with App Control


  • App Control Console: All Supported Versions
  • Okta: All Supported Versions


In the App Control Console:
  1. Go to System Configuration > SAML Login.
  2. In the Service Provider section, switch from "XML" to "Manual" view and take note of the following URLs:
    Entity ID: https://APPCSERVER/simplesaml/module.php/saml/sp/metadata.php/default-sp
    Single Sign-On URL: https://APPCSERVER/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp

Login to Okta:

  1. On the main page, click the "Admin" button on the top right.
  2. Click "Add Applications" on the right side menu.
  3. Click the "Create New App" button on the left.
  4. Select "Web" and "SAML 2.0" and click "Create".
  5. Enter App name and other options then click "Next".
  6. Single sign-on URL use:
  7. Audience URI use:
  8. Configure the Name ID Format to use Email Address
  9. Application username: Email
  10. Complete the internal app creation
  11. On the next screen, right click "Identity Provider metadata" and select "Save link as" and save the XML file.

In the App Control console:

  1. Go to  System Configuration > SAML Login.
  2. Click "Add Identity Provider".
  3. Enter a provider name (This will appear on the login page).
  4. Click "Choose File" > point to the XML and Save.

You should now be able to login to the App Control console from the Applications section in the Okta app

Additional Information

A user with an email address matching the Okta email address must be configured in the App Control console before successful login could happen. The user console login could be created initially either:
  • Manually from the Login Accounts menu in the console
  • By logging in with an Active Directory user account first before attempting SAML
The expected SAML assertion name id format should look similar to:
<  NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[email protected]</NameID>