What’s in this doc
- Getting Started
- Step 1: Email Trusona
- Step 2: Log into the Okta admin portal
- Step 3: Create API token
- Step 4: Add Origin
- Step 5: Create a group
- Step 6: Create an Identity Provider
- Step 7: Create new Sign-On policy
- Step 8: Send Trusona your configuration details
- Step 9: Create Routing Rule
- Step 10: Create a Trusona Registration application
- Step 11: Create an Assignment
- Step 12: Customizing your Trusona experience
- Provide images
- Provide hex values
- Okta Identifier Registration
Step 1: Email Trusona
Send an email to firstname.lastname@example.org with the following information:
Subject: Okta Integration
- Company name
- Email domain(s) associated with your Okta users
- Optional - Vanity url (url seen while on the Trusona gateway)
Gateway url: https://okta98098.gateway.trusona.net/sessions/new
Vanity url: https://login.yourcompany.com/sessions/new
Setting up a vanity url
Add a new CNAME DNS record for your domain.
- Set the “host” value to the URL you’d like users to see when logging in
- Set the “Answer” value to
- Set the TTL to 300
Here’s an example of a CNAME answer when retrieved by
tada.trusona.com. 3600 IN CNAME ssl.trusona.net.
Trusona will send you the following via email:
- IdP Signature Certificate
- Origin URL (Is Vanity url. If you are not using Vanity url Origin URL will be provided)
- IdP Single Sign-On URL
Step 2: Log into the Okta admin portal
If you are logged into the developer portal by default than select the dropdown that reads Developer Console and click Classic UI.
If you see this page and admin button, then click Admin button.
Step 3: Create API token
Navigate to “Security” > “API” and then click the Create Token button.
Copy your API token (“Token Value” in the above image) and save it somewhere safe. You will send this to Trusona along with other information in step 8.
Step 4: Add Origin
Navigate to “Security” > “API” > “Trusted Origins” and click the Add Origin button.
- Name your Origin Trusona
- Trusona will provide you with the Origin url
- Check both CORS and Redirect checkboxes
Step 5: Create a group
Navigate to “Directory” > “Groups” > click Add Group and create a name and a description
- Name the group Trusona
- Provide a group description
- Click Add Group
This group is used to prevent users, who are using Trusona for passwordless login, from being prompted for an additional second factor of authentication.
You don’t need to maintain the membership of this group. Group membership is automatically managed by Trusona via the Okta API. Do not add any members to the group.
Step 6: Create an Identity Provider
Navigate to “Security” > “Identity Providers” > Click Add Identity Provider > Click SAML 2.0 IdP
Note: If the “Add Identity Provider” button does not have a drop down then click “Add Identity Provider” and continue with the steps below.
Complete the form to add the new SAML IdP using the information below:
|Match against||Okta Username|
|If no match found||Create new user (JIT)|
|Group Assignment||Assign to specific groups|
|Specific Groups||Your Group Name||Enter the group name created in step 5.|
|If no match found||Create new user (JIT)|
SAML Protocol Settings
The email you receive back from Trusona will contain the IdP Single Sign-On URL and the IdP Signature Certificate
|IdP Issuer URI||
|IdP Single Sign-On URL||
||This is unique to your integration with Trusona. It will be provided by Trusona, and will look something like
|IdP Signature Certificate||Issued by Trusona|
Once the information in the tables above has been entered into the form, click the Add identity provider button to continue.
Step 7: Create new Sign-On policy
Navigate to “Security” > “Authentication” > “Sign on”
To create the new policy, click the Add New Okta Sign-On Policy button.
- Enter “TrusonaUsers” for the Policy Name
- Choose a meaningful description for the Policy Description
- Add the group you created in step 5 in the “Assign to Groups” section
- Click Create Policy and Add Rule
- Rule Name: Name rule (This rule allows users to authenticate from anywhere)
- Ensure that “Prompt for Factor” is unchecked. (If “Prompt for Factor” is checked, users may see unnecessary 2FA prompts after using Trusona to login to Okta.)
- After creating a rule make sure the new rule is activated
Step 8: Send Trusona your configuration details
- API Token Key
- Group URL [Located in Directory > Groups > Trusona > copy the URL from the browser]
- SAML metadata [Located in Security > Identity Providers by expanding the SAML IdP row]
Once this information is received, Trusona will provision your Okta integration and notify you by email when the Trusona integration is ready for use.
Step 9: Create Routing Rule
Note: Do not move onto step 9 until you have received confirmation from Trusona that your information from step 8 has been provisioned. Otherwise you may be locked out of your account.
- Navigate to “Security” > “Identity Providers” > “Routing Rules”
- Click the Adding Routing Rule button.
- Match the fields below
- Click Create Rule
|User’s IP is||Anywhere|
|User’s device platform||Any device|
|User is accessing||Any application|
|Use this identity provider||Trusona|
Trusona recommends that this newly created routing rule be placed above existing routing rules. This ensures that users are redirected to the Trusona IdP for authentication. Your specific implementation and/or deployment needs may require the rule to be placed somewhere other than first in the list.
Step 10: Create a Trusona Registration application
The Trusona Registration application helps your users link their Okta account to their Trusona Account. This process guarantees that users are identified by the Trusona IdP with a known and valid Okta identifier. All users that intend to use Trusona to login with Okta should complete the registration process described below before attempting to use Trusona to login to Okta.
- Applications > Applications > Add Application
- Click Create New App
- Select “Web” from the “Platform” list
- Choose the “SAML 2.0” radio button option
- Click Create
- Click Next
|App logo||Trusona logo|
- Enter IdP Single Sign-On url. To find it navigate to “Security” > “Identity Providers” > “Configure Identity Provider” > “SAML Protocol Settings” > “IdP Single Sign-On url”
- Change the end of the URL from “saml” to “registrations” then click Next
- Check on “Use this for Recipient URL and Destination URL”
- Audience URI (SP Entity ID): Enter
- Click Next
- Click the radio button “I’m an Okta customer adding an internal app”
- Click Finish
Step 11: Create an Assignment
Within the new Trusona application > Assignment > Assign
- Assign to Groups
- Select Everyone
- Click Assign
- Click Done
Step 12: Customizing your Trusona experience
The Trusona Gateway (pictured below) includes default styling that will be familiar to your users using the Trusona App.
Optionally, it’s possible to provide a custom branded experience for your users including things like:
- A custom vanity URL
- Custom secure QR code colors
- Your company logo and colors
In order for Trusona to create your custom gateway you need to provide to Trusona hex values and images for the following:
- Hero image: 1440 x 1800 px
- Logo image: 500 x 500 px
Provide hex values
- Animated dot color: this is the color dots that animate
- List of QR colors: multiples of the same color will appear more (provide 2 hex values)
- Link color: also changes the Okta widget button colors
- Text color:
- Background color: affects background behind the QR, usually we just do pure white (#FFFFFF)
Okta Identifier Registration
Users who intend to use Trusona to login to Okta must complete these required one-time steps.
- Download and install the Trusona App
- Register in the Trusona App
- Login to Okta using their existing username and password
- Find, and click on, the Trusona application “chiclet” created in Step 10
- Scan the QR code with the Trusona App
- Accept and complete the Trusonafication
The user’s Okta identifier has now been linked to their Trusona account and they are now ready to use Trusona to login with Okta.