Login to your Okta account.
Navigate to Admin > Applications > Add Application > Create New App.
In Create a New Application Integration set these values and click Create:
Sign on method: SAML 2.0
In General Settings set the following values and click Next:
App name: The name of your kPow instance, e.g. 'kPow Staging'.
Optionally, configure both the app visibility and logo to one's preference.
In Configure SAML set the following values and click Next:
Single sign-on URL: The absolute kPow login URI, e.g.
Audience URI (SP Entity ID): Set to
kPow or similar.
user.email using the
unspecified name format
Group attribute statements:
Roles -> can be mapped to a relevant group filter for Role Based Access Control
Navigate to Feedback > Finish and you will be redirected to your new Okta application.
Navigate to Sign On > View Setup Instructions and save the XML in Provide the following IDP metadata to your SP provider to a file on disk.
SAML_RELYING_PARTY_IDENTIFIER= the Audience URI (SP Entity ID)
SAML_ACS_URL= the Single sign-on URL, e.g.
SAML_METADATA_FILE= the path to the IDP metadata file, e.g.
kPow will now authenticate users with Okta (SAML).
See the guide to Role Based Access Control for full configuration details.
When RBAC is enabled kPow will request
groups scope to view the groups associated with an authenticated user. kPow considers Okta groups as roles in your RBAC configuration.
You will need to configure a relevant group claim filter for the kPow OpenID integration: