Okta Configuration

Configuring Okta is relatively straightforward.

Please keep in mind that the following instructions are given as an example, and may differ from what is required in your particular situation.

Once you connect to your Okta administration portal, go to the Applications page:

  1. Select Add Application.
    Add Application
  2. Select Create New App.
    Create New App

  3. Create a new web-based SAML 2.0 Application.
    Create New Application

  4. Give your new application a name.
    Create SAML Application General

  5. Enter the SAML settings.
        Single Sign on URL: https://YOUR SITE URL/saml/saml_login_response
        Audience URI: https://YOUR SITE URL/saml/metadata
    Create SAML Application Settings

  6. Enter the SAML Attributes.
        access (optional)
        groups (optional)
    The values you decide to use will be dependant on your organization.
    Please note that in this example we hard-code true for access as we control the availability of the Application elsewhere. We have also decided to add the groups attribute, which we populate with the list of group memberships from either Admin, Artist, or Manager. The user must be part of only one group.
    Create SAML Application Settings Claims

  7. Finish the configuration.
    Create SAML Application Finish

  8. Proceed with the rest of the Okta configuration to determine access to the application and ensure that the proper attributes are sent. This will depend on your organization and how you have decided to set the values for the attributes.

  9. Provide the SSO configuration to your Shotgun Administrators. Click on the View Setup Instructions and provide the informations shown:
        SAML 2.0 Endpoint (HTTPS): Identity Provider Single Sign-On URL
        Identity Provider Issuer: Identity Provider Issuer
        Public Certificate: X.509 Certificate
    If instead you download the metadata, you will need to extract:
        SAML 2.0 Endpoint (HTTPS): SingleSignOnService Binding Location
        Identity Provider Issuer: EntityDescriptor entityID
        Public Certificate: X509Certificate
    Create SAML Application Setup


Important note regarding claims renewal

WARNING: The following information is only relevant for Shotgun versions older than

Shotgun will periodically need to renew the user's claims. To achieve this, Shotgun will connect to the IdP server using an iframe not visible to users. The default configuration of Okta will no permit embedding into an iframe.

There are 2 possible solutions here:

  1. Configure your Okta server to allow iframe embedding. This is a system-wide option, which can be found in the Admin section, under the 'Settings -> Customization -> General' page.
  2. Configure Shotgun to use an external pop-up window to renew the user's claims. This can be achieved by adding:
    saml_claims_renew_iframe_embedding_disabled: true
    to the SSO Configuration (YAML format), under the SAML Authentication section of the Site Preference page.