Set up SSO with Okta
This section explains how to set up your SSO connection using Okta as the identity provider, so that users can sign in to Autodesk with their organization’s email address. This connection uses SAML (Security Assertion Markup Language) to allow Autodesk to communicate with Okta to authenticate users. To enable this communication, you will need to add metadata from Okta to Autodesk and vice versa.
Page Contents:
Begin setup in Autodesk
In Autodesk Account, go to User management > By user or By Group.
Select your team from the drop-down list and click the Team Settings ⚙️ icon in the upper right-hand corner.
Go to the section Single sign-on (SSO) and select Manage SSO.
Select Manage SSO tab > Set up connection.
You will be asked to name your connection. Enter a name that will help you easily identify the connection between your identity provider and Autodesk. The name you choose can also help differentiate between connections. The name you choose must be unique and not in use by another team or organization.
Select your identity provider from the drop-down menu.
Register Autodesk SSO as an app on Okta
To set up SSO, you must register Autodesk as a SAML app on Okta.
The instructions in this section match Okta’s user interface as of November 2021. Consult the documentation on Setting Up a SAML Application in Okta for the most up-to-date documentation provided by Okta.
Sign in to your Okta Admin portal using an account that has admin privileges.
Go to the Applications tab.
Click the Browse App Catalog button.
Search for the "Autodesk" application and click the Add Integration button.
Note:This application is pre-configured with all the essential settings including the SAML attributes mapping. Refer to the manual configuration procedure in case of any issues with the Autodesk pre-configured template or to view/update the SAML mapping source.
Name the Application label and click Done.
The Application integration screen displays.
Add Okta metadata to Autodesk
This section explains how to get metadata from Okta to set up a SAML connection with Autodesk. Choose either of the following setup:
Automatic setup
Automatic setup to download the metadata file from Okta and upload it to Autodesk.(recommended)
Select the Sign On tab and scroll down to section SAML Signing Certificates.
Click Actions. Right click View IdP Metadata to select Save Link As and save as .XML file.
Switch to Autodesk Account, select Upload to upload the Idp Metadata file downloaded from Okta.
Confirm that the fields are filled in and click Next.
Manual setup
Manual setup to copy and paste the information manually.
Skip the manual setup if you choose automatic setup.
Select the Sign On tab to scroll down and click View SAML setup instructions.
Copy the Idp Sign in URL, Idp Issuer URI values and in section Primary verification certificate, click the URL link to download.
Go back to Autodesk Account to paste the Okta values and upload the certificate as shown in the table.
Okta Autodesk IdP Issuer URI Entity ID Idp Sign in URL Sign-on URL* Primary Verification Certificate Verification Certificate Confirm that the fields are filled in and click Next in Autodesk Account.
*Binding refers to the mechanism used to transmit authentication data between the identity provider and service provider (Autodesk). There are two binding methods: Post and Redirect.
The Post method is recommended, and is selected by default. This method transmits SAML messages within an HTML form using base64-encoded content. Because messages are encoded, it is more secure than the Redirect method, and is recommended as a security best practice.
The Redirect method transmits SAML messages encoded as HTTP URL parameters. The response is part of the URL and may be captured and exposed in various logs, making this method less secure than the Post method.
Add Autodesk metadata to Okta
This section explains how to allow Autodesk to complete the connection with your identity provider for user authentication. Choose the same as the previous setup selection:
Automatic Setup
Automatic setup to allow the metadata file from Autodesk and upload it to Okta.
Manual Setup
Manual setup to copy and paste the information manually.
In Autodesk Account, copy the Entity ID, Assertion Customer Service (ACS) URL, and download the Verification Certificate.
Return to Okta portal. Make sure you are in Sign On > Edit.
In section SAML 2.0 > click Browse to select the .crt file you downloaded from Autodesk Account and click Upload.
In section Advanced Sign-on Settings, enter the values noted from Autodesk Account in step 1 as shown in the table.
Autodesk Okta Entity ID Audience URI Assertion Customer Service (ACS) URL ACS URL Under the Credentials Details > Application username format, select Email from the dropdown and click Save.
Map attributes
If you have integrated with Autodesk app gallery at the beginning of the setup, you will have these SAML attributes pre-configured.
Under Sign on methods > Configure profile mapping, make sure that the user attributes are mapped correctly.
Autodesk attributes:
firstName
lastName
email
objectGUID
Note:The attributes to map are case-sensitive and contain no spaces. Do not map additional attributes. For SSO, the backend does not store any other attributes you may have mapped. However, if you set up directory sync, additional attribute mapping will cause the sync to fail, and you will have to remove the additional attributes.
Test your connection
Before testing the connection, make sure you assign yourself access to the Autodesk SSO application that you created with your identity provider. Go to Assign an app integration to a user for more information.
Click Test connection to be redirected to your organization’s SSO sign-in page. (If you are not redirected, see Troubleshooting).
Sign in to make sure that the connection between your identity provider and Autodesk is set up correctly. If the test is successful, you will see the message “Connection Test Result: Success” and a list of properties.
Confirm that the attributes have mapped correctly by comparing the Property and Value columns. The property “first name” should appear next to the user’s first name, “last name” should appear next to the user’s last name, and so on. If you need to make changes, return to the previous step (Mapping attributes) and re-map the attributes.
Once you have confirmed that attributes are mapped correctly, return to the Autodesk Account tab and click Next.
Note:In order to proceed to step 4, which involves linking a verified domain, it is crucial that your connection is tested successfully.
Link verified domains
You will see a list of your verified domains. Select one or more verified domains to link to your connection.
Click Save connection to complete the setup.
Note:If a domain is not verified, you can still save the connection and link it later in Manage SSO. If you have not finished verifying domains, go to Add and verify domains to complete the process. Once you have finished linking domains, return to Manage SSO to test and turn on SSO.
Previous: Set up your connection
Next: Test and turn on SSO