OKTA SSO

Pillar integrates with Okta over SAML.

To integrate, you will need to configure a SAML 2.0 Application in Okta using the Pillar metadata:

The values that need to be specified are:

Single Sign in URL

https://auth.pillar.hr/__/auth/handler

Audience URI (SP Entity ID):

https://app.pillar.hr

Name ID Format

EmailAddress

Attribute Statements:

name, Basic

user.firstName + " " + user.lastName

An example SAML Assertion should look similar to:

<?xml version="1.0" encoding="UTF-8"?>

<saml2:Assertion ID="id6705107957415523935299808" IssueInstant="2022-11-08T13:27:12.687Z" Version="2.0"

xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">

<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.okta.com/exk6w5f2q5paSojzt5d7</saml2:Issuer>

<saml2:Subject>

<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">employee@domain.com</saml2:NameID>

<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

<saml2:SubjectConfirmationData NotOnOrAfter="2022-11-08T13:32:12.687Z" Recipient="https://auth.pillar.hr/__/auth/handler"/>

</saml2:SubjectConfirmation>

</saml2:Subject>

<saml2:Conditions NotBefore="2022-11-08T13:22:12.687Z" NotOnOrAfter="2022-11-08T13:32:12.687Z">

<saml2:AudienceRestriction>

<saml2:Audience>https://app.pillar.hr</saml2:Audience>

</saml2:AudienceRestriction>

</saml2:Conditions>

<saml2:AuthnStatement AuthnInstant="2022-11-08T13:27:12.687Z" SessionIndex="id1667914032685.1686544979">

<saml2:AuthnContext>

<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>

</saml2:AuthnContext>

</saml2:AuthnStatement>

<saml2:AttributeStatement>

<saml2:Attribute Name="name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

<saml2:AttributeValue

xmlns:xs="http://www.w3.org/2001/XMLSchema"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">FirstNameHere LastNameHere

</saml2:AttributeValue>

</saml2:Attribute>

</saml2:AttributeStatement>

</saml2:Assertion>

After configuring the application, you will need to share with Pillar these values from Okta:

  • Identity Provider Issuer (Entity ID)

  • Identity Provider SSO URL

  • X.509 Signing Certificate

Available from this button in the Okta UI:

Did this answer your question?