Okta
Configure workforce identity with Okta.
Step 1: Install the package
dotnet add package PrimusSaaS.Identity.Broker
Step 2: Configure Program.cs and middleware
using PrimusSaaS.Identity.Broker;
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddPrimusAuthBroker(builder.Configuration, builder.Environment.IsDevelopment());
builder.Services.AddControllers();
var app = builder.Build();
app.UseAuthentication();
app.UseAuthorization();
app.UsePrimusCsrfProtection();
app.MapControllers();
app.MapPrimusAuthBroker();
app.Run();
Step 3: Configure appsettings.json
{
"Okta": {
"Domain": "https://dev-123456.okta.com",
"ClientId": "YOUR_CLIENT_ID",
"ClientSecret": "YOUR_CLIENT_SECRET"
}
}
How to get configuration values
- Log in to the Okta Admin Console.
- Go to Applications > Create App Integration.
- Select OIDC - Web Application.
- Sign-in redirect URI:
https://your-api.com/api/auth/okta/callback - Copy Client ID and Client Secret.
Step 4: Configure endpoint
Broker endpoints are mapped by app.MapPrimusAuthBroker().
GET /api/auth/providersGET /api/auth/oktaGET /api/auth/me
Step 5: Test the endpoint
- Call
GET /api/auth/providersonce on app startup to seed the CSRF cookie. - Navigate to
GET /api/auth/oktaand sign in. - Call
GET /api/auth/meto confirm the session.
SAML 2.0 SSO
Okta supports both OIDC and SAML 2.0. SAML is common for workforce identity federation.
Create a SAML app in Okta
- In the Okta Admin Console, go to Applications → Create App Integration.
- Select SAML 2.0.
- Set the Single sign-on URL (ACS) to:
https://app.example.com/api/auth/saml/okta-saml/Acs - Set Audience URI (SP Entity ID) to
https://app.example.com. - Under App embed link, copy the Identity Provider metadata URL.
Configure appsettings.json
{
"PrimusAuth": {
"Saml": {
"EntityId": "https://app.example.com",
"IdentityProviders": [
{
"Scheme": "okta-saml",
"DisplayName": "Okta Workforce",
"IdpType": "Okta",
"MetadataUrl": "https://dev-123456.okta.com/app/abc123/sso/saml/metadata"
}
]
}
}
}
SAML endpoints
| Endpoint | Description |
|---|---|
GET /api/auth/saml/okta-saml | Returns SP metadata XML — configure as the SP Entity ID in Okta |
GET /api/auth/saml/okta-saml/SignIn | Initiates SP-initiated SSO — redirects the browser to Okta |
POST /api/auth/saml/okta-saml/Acs | Assertion Consumer Service — handled automatically |
Advanced features
The following features work with Okta exactly the same way as any other provider:
- Multi-Factor Authentication — TOTP, SMS, and email OTP
- Domain Allowlist — restrict logins to specific email domains
- Bot Protection & Rate Limiting — IP-based rate limiting, CAPTCHA hooks
- Webhooks — receive events on login, logout, and provisioning
Next Steps
- Integration Guide — complete setup walkthrough including frontend integration
- MFA Deep Dive — TOTP enrollment UX, SMS codes, and recovery
- Advanced Configuration — custom stores, HA clustering, and data protection
- Database Setup — persist provisioned users with EF Core