> ## Documentation Index
> Fetch the complete documentation index at: https://ngrok.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Secure your endpoints with Okta SSO (SAML)

> Secure access to your ngrok endpoints with Okta single sign-on (SSO) using SAML.

<Note>
  This guide refers to using SSO to authenticate access to your **endpoints**. You cannot use these instructions to set up SSO for logging into your ngrok account in the dashboard.
</Note>

This guide shows you how to configure Okta as the primary Identity Provider for ngrok tunnels using single sign-on (SSO).
By integrating Okta SSO with ngrok, you can:

* Restrict access to ngrok tunnels only to users authenticated via Okta
* Use Okta security policies, MFA authenticators—including Okta Verify, FastPass, and FIDO2—and ThreatInsights to control access to ngrok tunnels
* Use Okta's Dashboard to facilitate access to ngrok apps

## What you'll need

* An Okta account with administrative rights to create apps.
* An ngrok Pay-as-you-go account with an authtoken or admin access to configure endpoints with SAML.

## 1. Configure Okta

### Add the ngrok app in Okta

* Access your Okta Dashboard as an administrator and then click **Admin**.
* Click **Application** > **Applications** .
* Click **Create App Integration**,
* Select *SAML 2.0*, and then click **Next**.
* Enter the **Application label**—this is the app name that will be displayed in the okta dashboard for end users—and click **Next**.
* Enter in temporary values for "Single sign on URL" and "Audience URI" and select "EmailAddress" for "Name ID format" and then click "Next".
  * **Single sign-on URL**: [https://temporary](https://temporary)
  * **Audience URI (SP Entity ID)**: [https://temporary](https://temporary)
  * **Name ID format**: Email
* Select **I’m an Okta customer adding an internal app** and click **Finish**.
* Click **Done**.
* Under the **Sign On** tab of the ngrok application, **copy the Client ID and Client Secret**. These values will be used at ngrok to complete the configuration.

### Download the IdP metadata

* Navigate to the **Sign On** tab on the new app and click **Actions** under the Active SHA-2 certificate and select **View IdP metadata**.
  The metadata will open in a new tab.
* In the new tab, select **Save As** from the File menu to save your `metadata.xml` file for uploading into ngrok in a later step.

### Grant access to Okta people and groups

Okta allows administrators to restrict access to SSO apps—such as ngrok—via assignments.
By default, apps created in Okta have no assignments; in other words, nobody can use Okta SSO to access ngrok until you assign them to the app.
To assign Okta users and groups to the ngrok app:

* Navigate to the **Assignments** tab.
* Use the **Assign** button to associate groups and users with the ngrok app.
  To test the SSO with ngrok, make sure you're assigned to the app.

## 2. Configure ngrok

<Warning>
  The SAML Traffic Policy action is currently in [developer preview](/traffic-policy/actions/saml/). [Request access](https://dashboard.ngrok.com/developer-preview) to configure SAML via Traffic Policy.
</Warning>

Once you have developer preview access, create a `policy.yaml` file with the following content, replacing `YOUR_IDP_METADATA_XML` with the IdP metadata XML from Okta:

```yaml theme={null}
on_http_request:
  - actions:
      - type: saml
        config:
          idp_metadata: 'YOUR_IDP_METADATA_XML'
```

The SAML action generates your ngrok SP Entity ID and ACS URL based on your endpoint URL. Refer to the [SAML action documentation](/traffic-policy/actions/saml/) for how to retrieve these values to complete your IdP configuration.

Launch an ngrok tunnel with this policy:

```bash theme={null}
ngrok http 3000 --traffic-policy-file policy.yaml --url YOUR_DOMAIN
```

Copy the URL next to **Forwarding**. You use this URL to test the integration.

## 3. Update the Okta app settings

* In Okta, open your ngrok app and go to the **General** tab.
* In **SAML Settings**, click **Edit**, then replace the temporary values with the generated ngrok values:
  * Set **Single sign-on URL** to your ngrok **ACS URL**.
  * Set **Audience URI (SP Entity ID)** to your ngrok **SP Entity ID**.
* Save the changes.

## 4. Test the integration

* In your browser, launch an incognito window.
* Access your ngrok tunnel (for example, `https://okta-sso-test.ngrok.app` or using a copied URL).
* You should be prompted to log in with your Okta credentials.
* After logging in, you should be able to see your web app.
