---
title: "Okta (SAML)"
slug: "okta-identity-provider"
updated: 2026-05-11T13:07:14Z
published: 2026-05-11T13:07:14Z
canonical: "support.perimeter81.com/okta-identity-provider"
stale: true
---

> ## Documentation Index
> Fetch the complete documentation index at: https://support.perimeter81.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Okta (SAML)

<meta charset="utf-8">

<meta charset="utf-8">

## Introduction

This guide offers insights into configuring Okta with SAML.

By integrating with Okta, Check Point SASE can authenticate users through the Security Assertion Markup Language (SAML) protocol, ensuring a secure and streamlined login process.

## Supported Features

The Okta/Check Point SASE SAML integration currently supports the following features:

- SP-initiated SSO (only for the SASE ZTNA application portal)
- IdP-initiated SSO (for both the SASE ZTNA application portal and Agent login)
- JIT (Just In Time) Provisioning

Steps

1. Log in to your Okta account.
2. In the general Okta dashboard, select **Applications**.
3. Using the list of shortcuts on the left-hand side of the screen, select **Browse App Catalog**and search for Harmony SASE, select our application and click **Add Integration**.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/AddIntegration(1).png)
4. From the **Region** list, select your data residency region and click **Done**.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/GeneralSetting(2).png)
5. Once the application has been created, click on the **Sign On** tab.
6. Under the SAML 2.0 section click on **More details**, copy the **Sign on URL** and save it for later  
 ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1699339737088.png)
7. Download the **SAML Signing Certificate**and save it for later.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1699338817867.png)
8. On top of the **Sign On** page Under the **Settings** section, click "Edit".
9. Enter only the part of the name that appears before @perimeter81.com.

Example: Enter sase-network, not sase-network@perimeter81.com. ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1674161177848.png)

Workspace NameYour Workspace name is the subdomain of your Check Point SASE sign-in URL. For instance, if your sign-in URL is acme.perimeter81.com, your workspace will be "acme" It's important to note that this is case-sensitive.OPTIONAL: Group SupportIf you would like a group membership that exists on your Okta to sync over to Check Point SASE, you'll want to make sure the Groups portion has the following Syntax:

- Groups: "Matches Regex" .* (Please note, this is a dot + asterisk)
- You will also want to create the group on Check Point SASE manually for this to work.

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1674161082570.png)

## Configuring the SAML 2.0 Application on Check Point SASE

1. Log in to your **Check Point SASE Management Platform**, and navigate to **Settings,** and then **Identity Providers**.  
  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/IdentityProvider_Add.jpg)
2. Select **+ Add Provider**.
3. Select **Okta**.
4. Fill in the **Sign In URL** and upload the **SAML Signing** Certificate you previously copied.
5. Add your organization's domain.
6. Select **Done**.

## Assigning the App

1. In Okta, navigate to **Applications** and select your SAML 2.0 Application
2. Click **Assignments****![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Screen%20Shot%202021-12-10%20at%2012.40.57%20PM.png)**
3. Assign the **People** or **Groups** you would like to get synchronized with Check Point SASE.
4. Fill in any additional information, click **Save and Go Back**, Then click **Done**.

## SP-initiated SSO

1. Browse to your Check Point SASE workspace URL.
2. On the login screen click on **Sign in with Okta**.
3. Verify you can successfully connect using your Okta credentials.

## Notes

The following SAML attributes are supported:

| Name | Value |
| --- | --- |
| given_name | user.firstName |
| family_name | user.lastName |
| email | user.email |
| groups | Configured in the app UI; See "Group Support" section above |

<meta charset="utf-8">

## Recommendations

- To use Okta with [SCIM integration](/v1/docs/about-scim) **(recommended)**, use the following [document](/v1/docs/okta).
- Ensure you have admin access in both Okta and Check Point SASE platforms for a successful integration.
- Always replace placeholders, such as YOUR_WORKSPACE, with the appropriate values during the setup.
- Save your Sign In URL and X509 Signing Certificate from Okta for later use in Check Point SASE.
- Periodically review your Okta configuration settings to ensure they align with any updates or changes made within the Check Point SASE platform.

## Troubleshooting

If you encounter issues during or after the setup, try reviewing your settings to ensure everything matches the instructions. In particular, check the IP addresses and other details you entered during setup. If issues persist, please consult our dedicated support.

Important note regarding group assignmentsLocal users who are not defined through Okta will not be added/removed to/from any Okta-associated group they are assigned to automatically. You will need to manually add/remove them to any needed group.

## Support Contacts

If you have any difficulties or questions, don't hesitate to contact Check Point SASE's support team. We offer 24/7 chat support on our website at[sase.checkpoint.com](https://sase.checkpoint.com/), or you can email us at sase-support@checkpoint.com. We're here to assist you and ensure your VPN tunnel setup is a success