Checklist for configuring OKTA integration using SAML v2.0

Last Updated : Jun 10, 2026 |

The following checklist lists the configuration tasks that you perform on the OKTA and Keycloak web administration portals to set up integration with OKTA using SAML v2.0.

No.

Task

Notes

1

Ensure that you gather all required information for configuring the integration.

See Prerequisites for SSO configuration.

2

Create and configure an application for SSO.

See Creating a new SAML v2.0 application on OKTA.

3

Obtain the OKTA configuration file.

See Obtaining the XML configuration file.

4

Configure Keycloak settings using the Avaya Aura® Device Services configuration utility.

See Configuring Keycloak settings.

5

Configure the OKTA identity provider on Keycloak.

See Configuring an OKTA SAML v2.0 identity provider on Keycloak.

6

Configure user and administrator groups on OKTA.

See Configuring user and administrator groups.

7

Create users on OKTA.

See Creating users on OKTA.

8

Add users to groups on OKTA.

See Adding users to groups.

9

Assign the user group to the SAML v2.0 application on OKTA.

See Assigning a group to an OKTA SAML application.

10

Configure attribute mapping on OKTA.

See Configuring attribute mapping on OKTA.

11

Configure attribute mapping between the OKTA SAML v2.0 identity provider and Keycloak.

See Modifying the attribute mapping between the third-party identity provider and Keycloak.

For information about mappers that you must configure on Keycloak, see Attribute mapping parameters for OKTA SAML v2.0 identity provider.

12

Obtain the client secret.

See Obtaining the client secret.

The client secret is required to enable communication between Avaya Aura® Device Services and Keycloak.

13

Create a client mapping.

See Creating client mapping.

If you need to regenerate the client secret, see Regenerating the Keycloak client secret.

14

Configure the LDAP UID mapping.

See Configuring the LDAP UID mapping.

15

Select the identity provider to use for authorization.

See Selecting the default identity provider.

Do not perform this task if you want to allow the simultaneous use of multiple identity providers to your enterprise users.

16

Test the integration with OKTA.

See Testing the integration with the identity provider from the web administration portal.

17

Configure expiry time for access and refresh tokens.

See Configuring access and refresh token expiry times.