# Configuring Your Okta IdP Environment

In the IdP environment, you must add Treasure Data to your list of authorized applications. Each Treasure Data account is added as a separate application and users are assigned to the Treasure Data applications in Okta.

Continue to the following topics:

* [Prerequisites](#prerequisites)
* [Create a Treasure Data Application in Okta](#create-a-treasure-data-application-in-okta)
* [Configure Okta in TD Console](#configure-okta-in-td-console)
* [Create a Treasure Data Bookmark Application in Okta](#create-a-treasure-data-bookmark-application-in-okta)
* [Application Username in Okta and User Identifier in TD Console](#application-username-in-okta-and-user-identifier-in-td-console)


Treasure Data doesn't support the IdP-initiated SSO to ensure security. You cannot log in from the Treasure Data application (which you configured Single Sign-On URL, URI, etc), which is configured in [Create a Treasure Data Application in Okta](#create-a-treasure-data-application-in-okta),You must log into `[https://YOUR_TD_REGION/users/initiate_sso?account_name=ACCOUNT_NAME](<https://YOUR_REGION_TD.com/users/initiate_sso?account_name=ACCOUNT_NAME>)` directly, or log in via Bookmark Application which is configured here [Create a Treasure Data Bookmark Application in Okta](#create-a-treasure-data-bookmark-application-in-okta)

## Prerequisites

* SSO account name
* Okta Account
* Treasure Data Account
* URN resource


## Create a Treasure Data Application in Okta

1. After a new SSO-configured account has been set up for you by your account representative, create and set up a [new application in Okta](https://auth0.com/docs/protocols/saml/identity-providers/okta).


When the TD account is configured with the sso-configuration-enabled feature flag and given an account_name for IdP, a unique URN is created. You’ll need both the account_name for IdP and the supplied URN to configure your Okta account.

1. Log into your Okta account as an Admin and select the **Admin** button.
![](/assets/configuring-your-okta-idp-environment-2024-06-20.5ca90ef45fe73cb75680a4c210a5506542b43571f67094f819cd650de2097992.f0cddcd7.png)
2. Select **Add Applications**.
Your screen might look like this depending on how you accessed your Okta account.


![](/assets/configuring-your-okta-idp-environment-2024-06-20-1.48f89b362afbe904a51f7f0310ca0579033ac456bc25a09427240a6e0dc20a35.f0cddcd7.png)

1. Select **Create New App.**
Your screen might look like this.


![](/assets/configuring-your-okta-idp-environment-2024-06-20-2.8a519e7e0c8e1fad2b79de4409aa3df786c204e986f64aa96f3985cf0a9fb0c8.f0cddcd7.png)

1. Next, select the **SAML 2.0** protocol, which is used by Treasure Data to exchange authentication and authorization identities between security domains.


![](/assets/configuring-your-okta-idp-environment-2024-06-20-3.b0589003abd167c6fd863063471bcc472f289011c07aaa6beba5c65043e22155.f0cddcd7.png)

1. Configure SAML by typing in your App Name and uploading a logo if desired.
2. Set **App visibility** options:
Select: `Do not display application icon to users`
Select: `Do not display application icon in the Okta Mobile app`
3. Select **Next.**


![](/assets/configuring-your-okta-idp-environment-2024-06-20-4.19b9557ba2bd92b71a9e1f9a613eab74922ac70928b0b5f80c37f60d7abc6e84.f0cddcd7.png)

1. Configure SAML.
  * Use `https://sso.treasuredata.com/login/callback` as your **Single Sign-On URL**. Note this value does not change in any sites or regions.
  * Use the urn that was created when your TD account was configured


`urn:treasuredata:sso:<SITE>:<ACCOUNT_NAME>` as your `Audience URI (SP Entity ID)`.

Where`<SITE>` is currently one of the following: `aws`, `aws-tokyo`, `eu01`, or `ap02`.

For example, `urn:treasuredata:sso:eu01:ACCOUNT_NAME`.

* Keep **Default Relay State** empty.
![](/assets/configuring-your-okta-idp-environment-2024-06-20-5.3f26066a2898721a1fe8ca6e3bdcdae6490e67d7cebee2012a278cc784be9b3c.f0cddcd7.png)


1. Select **Next.**
2. Select **Directory** and add or invite new user(s) by selecting **Add Person**.


![](/assets/image-20200701-022144.b2475b0d5a5384069c2c692601ba1b70b4102b398d1c3d5aaae58d2ee319ee0d.f0cddcd7.png)

1. Specify the name and email of the user you wish to invite.


![](/assets/image-20200701-022555.9bb2c290893197125c78f51dc5492da1d358d96049f85b041488de33285a0237.f0cddcd7.png)
13. Select **Save**.

1. Each invited user receives an email with the link to activate their account. You can view which invitations are active or still pending activation.


![](/assets/image-20200701-022841.d344cd20a73f34bedce6e3fcd38c820be6f94c02b82261fb67aedf39b6fd34b7.f0cddcd7.png)

1. Next, select Okta users to assign to your Okta application.


![](/assets/image-20200701-023223.682523a35e5187dff4a5416034819f9018410c87f7d1f537f1c515534f093dcb.f0cddcd7.png)

1. Select **Assign Applications.**


![](/assets/image-20200701-023525.1f3c76c1c576833a1e4e4a5b3e43501f2460aa21d9bb0209aa2f29adb1c13360.f0cddcd7.png)

1. Select **Assign** to add the user to the account.


![](/assets/image-20200701-024004.083f109454d662e803bc8260ce938a99a1817686053a071ba849d6c0fd90cf43.f0cddcd7.png)

1. After the user is added to Treasure Data as an Okta user, they are redirected to Okta and to present their Okta credentials for authentication. You can then harvest the configuration needed to configure the IdP for a Treasure Data account.


Select the app and select **View Setup Instructions**.

![](https://docs.treasuredata.com/download/attachments/83493683/747IhMvf_JIIsTIht87LZS0B68FSXI_KAIA7pIayCjH3DVFXsLyX3uAlTVtRle7yZbWmBFaOh8lV2YaeNwe2t83zgfvC73khAP4TqRfBITgVF1f9hh0aS7yKG5FXGv6kzErQjFUw?version=1&modificationDate=1680132866391&api=v2)

1. Configure the Treasure Data account for this Okta application by collecting either of the following options and installing Treasure Data.


* The Identity Provider Single Sign-On URL
* X.509 Certificate


![](/assets/image-20200701-025625.7e300a526dbd468311a789dd0706dc70f78c9922236899b4f93db56fefa803f4.f0cddcd7.png)
20. To enter the information using a single metadata file, copy the IDP metadata into a file and use it to configure the TD account.

![](/assets/image-20200701-025943.99ce797dc0f23bfb53975463b6793701c87893849f8a9923906ff4ce6d5cfb4c.f0cddcd7.png)

## Configure Okta in TD Console

1. At this point, [set up your configuration in TD Console](/products/control-panel/security/sign-in-settings/configuration-values-for-okta-sso).
2. Next, you can test your connection.
Optionally, you can complete your work in Okta before working in TD Console.
3. To complete the configuration in Okta, proceed to the next step of creating a Bookmark Application in Okta.


## Create a Treasure Data Bookmark Application in okta

**Bookmark apps** direct users to a specific web page using a small **Okta** icon or chiclet. The Bookmark App allows the user to sign in to the application directly—without providing sensitive credential information.

The following steps are based on [instructions from the Okta help documentation](https://support.okta.com/help/s/article/How-do-you-create-a-bookmark-app).

1. Create and set up another application on Okta
  * Specify the **App name**. You can specify any bookmark name, such as Treasure Data SSO. The name you specify is viewable from the Okta dashboard.
  * Specify the **SSO URL.** The URL is `https://YOUR_REGION_TD/users/initiate_sso?account_name=ACCOUNT_NAME`. For example, if you use prod-aws, the URL would be:`https://console.us01.treasuredata.com/users/initiate_sso?account_name=ACCOUNT_NAME.`


You obtain the account name from your Treasure Data customer success representative.

1. Assign Okta users to your Okta application bookmark and test the connection.


## Application Username in Okta and User Identifier in TD Console

Okta uses `Okta username` as a default **Application username format**. The **Application username** is used as the identifier in TD Console. In TD Console, the default identifier is `user email`.

1. You need to ensure that the identifiers in Treasure Data match the Application usernames in Okta.
2. Select **Edit** to specify the **Application username** **format** in Okta.


![](/assets/treasure-data-trial_-_hkdnet-dev-local-sso__hkdnet-dev-local-sso.fb59d0313c5ff8c02dc3843e60aaeb5642b9a995c84a6a665b2e902a3e49982e.f0cddcd7.png)

1. Next, you’ll need to open **TD Console** to verify the same identifiers match.
2. From TD Console, navigate to **Control Panel** > **Users**.
3. Select the name or the Profile icon of the user.
4. Select **Details** to specify a user’s unique identifier in TD Console.


![](/assets/hackoktaider.1de9c9d039abdcceb85c335e10702b49e09a4232c02c26668bf6421a0cf7d4a4.f0cddcd7.png)