Configure Okta with Password Safe

  1. Log in to the Okta admin portal.

    Screen Capture of Okta Add Application Button

  2. Click Add Application.

Screen Capture of Okta Create New App Button

  1. Click Create New App.

  3. Select SAML 2.0 as the sign-in method.

Screen capture of SAML 2.0 option and the Create Button in Okta Create New Application Itegration

  1. Click Create.

Screen capture of adding an App Name in the Okta Create SAML Integration window

  1. Enter the application name, and then click Next.

  3. Enter the single sign on URL:


  4. Check the Use this for Recipient and Destination URL box.
  5. Enter the audience URI (SP entity ID):


Screen Capture of Select Okta Username in SAML Settings Create SAML Integration

  1. From the Application username list, select Okta username.


SLO Optional Setting

  1. Click Show Advanced Settings.
  2. Select Enable Single Logout.
  3. Fill in the Single Logout URL:


  4. Fill in the SP Issuer: HTTPS://<FQDN>/eEye.Re​tinaCSSAML/.
  5. Select the SP Public Certificate.cer certificate.
  6. Click Upload Certificate.

Set Okta attributes for the Attiribute Statement in SAML Settings

  1. Add attributes, and then click Next.
    • Group: Set as a literal. This must match the group created in BeyondInsight or imported from AD. If an AD group is used, it must match the BI format Domain\GroupName.
    • Name: (optional)
    • Email: (optional)
    • Surname: (optional)
    • GivenName: (optional)


Screen capture of settings for Okta Support

  1. Select appropriate settings for Okta support, and then click Finish.

Screen Capture of View Setup Instructions for SAML 2.0 Settings

  1. Click View Setup Instructions.


Screenshot of OKTA Configuration details to use in following steps.

  1. Copy the Identity Provider Single Sign-On URL. Save the value to be used in the next step.
  2. Copy the Identity Provider Issuer. Save the value to be used in the next step.
  3. Click Download certificate.


Configure SAML in Password Safe

  1. Go to the Dashboard or Menu and click Configuration, then, under Authentication Management, click SAML Configuration.

Screenshot of SAML Configuration information fields, with OKTA values entered.

  1. For Identifier, enter the Okta value Identity Provider Issuer.
  2. For Single Sign-on Service URL, enter the Okta value Identity Provider Single Sign-On URL.
  3. If available, set Single Logout Service URL to Okta value Identity Provider Single Logout URL.
  4. Click HTTP POST Protocol Binding for SSO and SLO.


Screenshot of SAML Configuration details of Service Provider certificate and update button.

  1. Under Encryption and Signing Configuration, check applicable boxes. A typical configuration is shown; however, depending on your Okta settings, some configuration selections may be different.


Screenshot of SAML Configuration Service Provider settings, and Save button.

  1. Upload Okta X.509 certificate.


Download Certificate from the Service Provider Settings page

  1. Enter the service provider Entity ID.
  3. Once the SAML configuration is saved, a public SP certificate is available to download. It can be uploaded to the IdP if required.


Disable Forms Login

In environments where SAML, smart card, or claims-aware is configured, we recommend enabling the Disable Forms Login authentication option to disallow users from using the standard login form in BeyondInsight.

To disable forms login for existing users, enable this option directly on a user account as follows:

  1. Click the vertical ellipsis for the user account, and then click Edit User Details.

Screenshot of Disable Forms Login option on a User account.

  1. Under Authentication Options, toggle Disable Forms Login to enable the option.

Please contact support for assistance if you need to bulk-apply this setting to existing accounts.


To configure login forms to automatically be disabled for newly created users:

Screenshot of the Forms Login Options

  1. Navigate to Configuration > Authentication Management > Authentication Options.
  2. Under Forms Login Options, enable one or both options as applicable:
    • Disable Forms Login for new directory accounts
    • Disable Forms Login for new local accounts