Customer SAML - IDP Setup

This guide explains how customers can configure their SAML settings using Okta as their identity provider example.


First you must enable SAML in the Frontegg Portal and configure it.

Customer Configuration

If you enable and configure SAML in the Frontegg Portal, your customers can configure their settings to allow their users to sign in with Okta using SAML.

Here is how.

STEP 1: Create New SAML Application

Your customer needs to create a new SAML application with Okta that they can use for their Frontegg application.

Below is an example.

STEP 2: Enter Information

Okta will require certain information from customer. See the example below.

Under the SSO URL, enter your frontegg subdomain followed by /auth/saml/callback. This is the same one you entered on the Frontegg portal for the ACS URL configuration.

For the SP Entity ID, enter the entity ID that you defined in the Frontegg portal.

Check out the SAML configuration guide for additional information on the ACS URL and SP Entity ID.

STEP 3: Transfer XML

The final step is transfer an XML file from the identity provider to Frontegg.

To do that, first download the metadata XML from the customer's identity provider. Next, upload the XML file to the customer's Frontegg Portal.

That is it. Now you and your customer have added SAML.


Moving Environments

When moving a project from one environment to another, Frontegg moves the SSO environment configurations for you. For instance, if moving from development to production, Frontegg moves the development SSO configurations to production.

Mapping Active Directory

When configuring your SSO, you can map your Active Directory groups to your Frontegg Roles to make securing your app easier than ever.

When mapping your Active Directory to your Frontegg Roles, you can assign your SSO users a default Frontegg Role. In addition, if you manage your organization's users with Okta, you can easily map Frontegg Roles to Okta Groups

Here's how. In the admin section of the Frontegg dashboard, click on the SSO page. Next, click on Step 3, which should cause a form to appear. The form has an input for selecting a default Frontegg Role to assign to all SSO users. The form also has a button for Add Mapping, which is where you can map Frontegg Roles to Okta Groups.

To assign a default Role to all SSO users, in the input, add a Frontegg Role from your list of predefined Roles. To add a Frontegg Role to your list of predefined Roles, you must have already created that role.

Whichever Roles you include in the input, those Roles will be assigned to all SSO users.

To map your Okta groups to Frontegg Roles, click the Add Mapping button, which should cause a form to appear on your page. At the top of the form, you should see the default Roles that you selected for all SSO users. Remember, those Roles will apply to all SSO users regardless of whatever additional roles you assign to those users below.

To assign additional Frontegg Roles to the SSO users, below the option to select default Roles is a table for mapping Frontegg Roles to Okta Groups.

In that table, in the Group input, enter the Name of the Group from Okta that you want to connect to a Frontegg Role. For instance, in the image below from an Okta account, Managers is an Okta Group Name.

In the corresponding Roles input, add the Frontegg Roles that you want to map to the Okta Group. Remember, to add a Frontegg Role, you must have already created that role in Frontegg.

Click save.

The next time you login to Frontegg using SAML, you will get user Roles and Permissions from Frontegg that apply the default Roles and are mapped to your Okta Groups.

Group to Roles Mapping

When your customers configure their SSO, they can choose to map their SAML identity provider groups to your roles. By mapping SAML identity provider groups to your roles, each SAML group member will be automatically assigned to the matching role. Note that you can map more than one role to each SAML identity provider group.

Read more about creating and using roles in the Frontegg Portal.

Did this page help you?