# Configuring with Okta

From your Okta's Administrative account, click on **Applications** from the top menu, and then click **Add Application**. From the left menu click on the **Create New App** button. 

For the **Platform** option, select **Web**. 

For the **Sign on method**, select **SAML 2.0**. 

Then click **Create**. 

On the next screen, we need to supply some basic information for the application. 

For the **App Name**, provide a friendly name for the NAAservice, e.g. **Access Anywhere**. Optionally you can also provide an **App logo** that users would recognize. 

Click **Next**.

On the **SAML settings** screen we want to configure the fields as follows:

  * __Single sign on URL__ - This should be the URI of your Access Anywhere server, appended by “/saml.htm”. For example “https://files.example.com/saml.htm”
  * __Audience URI__ - This should be the URI of your Access Anywhere server, e.g. "https://files.example.com"
  * __Default RelayState__ - This should be left blank
  * __Name ID format__ - Select Email Address
  * __Application username__ - Select Okta Username

Under **Show Advanced Settings**:

  * Tick **Enable Single Logout**
  * In **Single Logout URL** enter the value you entered in **Audience URI**
  * In **SP Issuer** enter the value you entered in **Audience URI**
  * From the **Signature Certificate** upload the Signing Certificate that can be obtained from your Access Anywhere appliance Auth System configuration screen. 

Under **Attribute Statements** configure the mappings as follows: 

  * Name "email", Name format "basic", Value 

<code> user.email </code>

  * Name "fullname", Name format "basic", Value

<code>user.firstName + "  " + user.lastName </code>

  * Name "username", Name format "basic", Value 

<code>user.login </code>

Under **Group Attribute Statements**, you will need to [choose which groups need to be exposed to Access Anywhere](https://help.okta.com/en/prod/Content/Topics/Apps/attribute-statements-saml.htm). 

A Groups Entry will need to be added with a name of "groups". The Value is dependant on what you would like to expose to Access Anywhere. Some examples are below:

  * Contains: IT - Matches groups containing the word "IT"
  * Regex: "^.*$" - Matches all groups

Follow the on-screen steps to save the changes. 

On the **Application Details** screen, under **Sign On**, click the **View Setup Instructions** button. 

Configure Access Anywhere following the instructions at [[:admin:saml#configuring_a_saml_authentication_system|Configuring a SAML Auth System]] using the settings below:

  * The Service provider entity ID - The URI entered earlier from the **Audience URI** field
  * SSO entry point - Enter the **Identity Provider Single Sign-On URL** found on the Okta setup instructions screen
  * The logout service endpoint - Enter the **Identity Provider Single Logout URL** found on the Okta setup instructions screen.
  * x509 Certificate - Enter the **X.509 Certificate** found on the Oka setup instructions screen

Before users are able to access the Okta application, Users or Groups must be assigned the application for it to be available to them. 

Your Okta setup with the Access Anywhere server is now complete.