Integration with Okta SSO

If you are implementing or currently an Okta user, then the following article describes how to integrate the XTAM login with Okta SSO.

This SAML integration currently supports the following features:

  • SP-initiated SSO
  • IdP-initiated SSO

Before you begin, be sure you met the following pre-requisities:

  • A working XTAM deployment with the Federated Sign-In experience.
  • Access to the XTAM host server to make application changes.
  • An Okta Administrator account that can add Applications and basic Okta Administrative knowledge.
  • XTAM does not support the use of native Okta accounts for login. Accounts have to originate in Active Directory and be synced to Okta in order to be used for XTAM authentication.

Add XTAM Okta Application

This section will describe how to add the XTAM Application in your company’s Okta tenant.

  1. Login to Okta with an Administrator account.
  2. Navigate to the Applications section and click the Add Application button.
  3. In the Search for an application box, enter Xton Access Manager. Click the Add button next to the application name.
  4. FAQ-Okta-Add-XTAM-Application

  5. In the Add Xton Access Manager – General Settings, configure the application as needed. In the Base URL field, enter the host of your XTAM solution. For example,


  6. Click Done when finished.

Configuring XTAM for your Okta SSO

This section will describe how to configure XTAM to support your Okta SSO login.

We will be taking information from your XTAM Okta Application and using them in the XTAM configuration, so be sure you have access to both.

  1. In the XTAM Okta application, navigate to Sign On and open the hyperlink Identity Provider Metadata.
  2. FAQ-Okta-XTAM-Sign-On

  3. When the page opens, copy all the text and save it to a file named okta.xml on the XTAM host computer. We recommend using the path {XTAM_HOME}/content/keys/okta.xml. Do not close this page yet.

  4. On the XTAM host computer, open the following file in a text editor {XTAM_HOME}/web/conf/

  5. Locate the section labeled # CAS and add the following lines:

  6. In the lines above, the following {placeholders} need to be updated using your own values explained here:

    1.{managed_path} — Your XTAM host name. For example,

    2. cas.server.prefix={managed_path}/cas — Your XTAM host name. For example,

    3. cas.authn.pac4j.saml[0].keystorePassword={password} — Create an alphanumeric password. Any value you want to enter.

    4. cas.authn.pac4j.saml[0].privateKeyPassword={password} — Create an alphanumeric password. Any value you want to enter.

    5. cas.authn.pac4j.saml[0].serviceProviderMetadataPath={okta.xml} — The full path and file name of the okta.xml file that was created in step (2). For example, C:/xtam/content/keys/okta.xml (use forward slashes not backslashes)

    6. cas.authn.pac4j.saml[0].keystorePath={samlKeystore.jks} — Define a path and name for the XTAM auto-generated key. For example, C:/xtam/content/keys/samlKeystore.jks (use forward slashes not backslashes)

    7. cas.authn.pac4j.saml[0].identityProviderMetadataPath={path} — Copy and paste the full URL from your Identity Provider Metadata used in step (2). For example,[externalKey]/sso/saml/metadata.

  7. When finished, save and close this file.

  8. Restart the PamManagement (Windows) or the pammanager (Linux) service.

  9. When the service is fully restarted, open your browser and navigate to the XTAM login page. Use the new option Login using Okta located on the bottom right side of the page.