Here are some of the shorthand terms used in this article:

IdP (Identity Provider) - The service that owns the user identities and credentials. In this case, it's Okta.
SP (Service Provider) - The protected application we are signing into, in this case, it's Ripple.

Prerequisites

You've already created the role(s) that you will assign (or map) to your Okta users when they log in to Ripple. We will use the following notation to refer to these roles:
```
{service}/{name}

where:
  {service} - either ripple, user, or rbac
  {name} - the role name

Example:
  ripple/admin 
```

Steps

In your Okta Admin page, go to Applications > Applications menu and create an app integration using SAML 2.0 as the sign-in method. Go through the steps using the settings below as reference for your SAML configurations:

App name: any name, but in this guide, we will use 'Ripple SAML'

SSO URL: https://login.alphaus.cloud/ripple/saml
** Check "Use this for Recipient URL and Destination URL"

Audience URI (SP Entity ID): same as SSO URL

Attribute statements:
Name: https://app.alphaus.cloud/ripple/SAML/Attributes/IDPID
Name format: leave default (Unspecified)
Value: user.rippleIdpId

Name: https://app.alphaus.cloud/ripple/SAML/Attributes/Profiles
Name format: leave default (Unspecified)
Value: user.rippleProfiles

Name: https://app.alphaus.cloud/ripple/SAML/Attributes/SessionName
Name format: leave default (Unspecified)
Value: user.email

Add the two attributes above, namely user.rippleIdpId and user.rippleProfiles, to you profile attributes. The user.email attribute should already be available by default. Go to Directory > Profile Editor and add the following attributes:
```
Data type: string
Display name: RippleIdpId
Variable name: rippleIdpId

Data type: string
Display name: RippleProfiles
Variable name: rippleProfiles
```
It will look something like this:
Download the IdP metadata (xml) file and store it somewhere. You will be uploading this file to Ripple. You can find the download link from the Sign On tab.

It may open a new tab in your browser when you click the link. Save it (Ctrl+S or Cmd+S) as an XML file. Let's refer to it as metadata.xml in this guide.
Login to Ripple and create the IdP settings. Go to Preferences > Identity Provider Setting > Add identity provider. Give it a name and attach the metadata.xml file as the SAML Metadata. Take note of the generated id. You will use this id in Okta later on. It will be in UUID form; something like:
```
ec70114e-840b-474f-92c0-e663a47ed2d1
```
Take note of your organization (or MSP) id as well. You can get the value from Preferences > User Setting > MSP ID. Something like:
```
MSP-abcd1234
```
Before going back to Okta, make sure you already have the following values:
- MSP id
- IdP id
- List of roles for your Okta users (see Prerequisites)
Go back to Okta and update the profiles of the users that will login to Ripple. You may have other ways to do bulk profile updates for multiple users but for this guide, let's use a single user: go to Directory > People, select a user, then go to the Profile tab, and click Edit.
Enter the values to the custom attributes you just added a while ago. Use your IdP id as the value for the rippleIdpId attribute. For the rippleProfiles attribute, use the following notation:
```
{MSP-ID}:{comma-separated-roles}

Example:
MSP-abcd1234:ripple/admin,user/readonly
```
Something like this:
Make sure to add the updated users to your SP app. You can do this through the Assignments tab.
If configured properly, the user should now be able to login to Ripple using SSO. To test the login, open the application's SSO URL. The login screen should look something like: