In today’s environment of distributed applications and microservices, unified identity and access management are essential. If you’re working with DreamFactory as your API-platform and want to leverage Okta for Single-Sign-On (SSO) via SAML 2.0, you’re in the right place. This post walks you through setting up Okta as your Identity Provider (IdP) and DreamFactory as your Service Provider (SP) for SAML 2.0-based login.
By the end of this post users will be able to click a “Login with Okta” button on your DreamFactory instance, authenticate via Okta, and gain access with roles and permissions managed by DreamFactory.
Log into your Okta admin dashboard.
Navigate to Applications → Create App Integration. Select SAML 2.0 as the application type.
In the “General Settings” page, give your new app a meaningful name (e.g., “DreamFactory SSO”). For now you can use the base URL for your DreamFactory instance as placeholder values for Single sign-on URL and Audience URI (you’ll update these later).
On the SAML configuration page:
Set Name ID format to EmailAddress.
Set Application username to Email.
Set Response to Unsigned.
Finish the wizard. Once complete, you’ll have a “View SAML setup instructions” link on the Sign-On tab. Click it and keep that tab open — you’ll need the values shown for DreamFactory.
Log into the DreamFactory admin console.
Create a Role for users authenticated via Okta:
Navigate to API Generation & Connections -> Role Base Access.
Create a new Role (for example, “Okta-Users”) and assign the appropriate permissions (APIs, tables, etc.) that these users should have.
If you already have an appropriate role, you can reuse it.
Create an API Key:
Go to API Generation & Connections → API Keys.
Create a new key and assign the role you just created. This API key will allow DreamFactory to link the SAML login to the correct role-based access.
Create a SAML 2.0 Service:
Navigate to Security → Authentication → Create Service → SAML 2.0.
Namespace: Choose a name (lowercase, no spaces) which becomes part of the URI for the service (Namespace must end with _sso e.g. dreamfactoryokta_sso).
Label: This will show up as the login button text on your main login screen (e.g., “Login with Okta”).
Config tab: Paste in from Okta’s “SAML setup instructions” the following:
Identity Provider Single Sign-On URL → IdP SSO service URL field in DreamFactory.
Identity Provider Issuer → IdP EntityId field in DreamFactory.
X.509 Certificate (including the “BEGIN”/“END” lines) → IdP x509cert field.
Relay State: The URL where DreamFactory should return the JWT token after login. Typically: https://your.instance.url/dreamfactory/dist/#/auth/login?jwt=_token
Once filled in it should look like this:
Save the service.
Return to your Okta application settings:
Go to the General tab → Edit SAML settings → update values:
Save your changes.
You will also need to assign your new Application to users in the Okta web interface
In the assignments tab you should see an "Assign" button you will need to assign the application to any People/Group that will be using it. This will allow them to complete the authentication flow from the DreamFactory UI.
Final step: On your DreamFactory login page (or at the /sso endpoint depending on your setup) you should now see a button labelled “Login with Okta” (or whatever label you chose). When clicked, it will redirect users to Okta, and after successful authentication, return them to DreamFactory with a JWT token and appropriate role assignments.
Important: Don’t forget to configure CORS in DreamFactory — allow your application domain and your Okta domain under DreamFactory → Config → CORS.
Troubleshooting Tips
If users cannot see the “Login with Okta” button, check that the SAML service is active in DreamFactory and that the namespace/service name is correct.
If login redirects but fails with a “certificate not valid” or “issuer mismatch” error, double-check the certificate, Entity ID, and SSO URL values you copied from Okta.
If login succeeds but the user gets insufficient permissions, verify that the user is assigned to the Okta application (Step 3.1 of Okta config) and that the correct DreamFactory role/API key is in place.
If you see CORS-related errors in the browser console, revisit your DreamFactory CORS settings and ensure both the Okta origin and your application’s origin are allowed.
For deeper SAML issues (assertion attributes, NameID format, etc.), consult the Okta SAML docs.
You can also reach out to the DreamFactory support team by emailing dspsupport@dreamfactory.com, we are always happy to help!
FAQs
1: Can users authenticate with both Okta SSO and traditional username/password?
Yes — you can keep the standard login method active in DreamFactory and also add the SAML service. Users could choose either. Make sure you think about how you handle roles for each path so permissions remain consistent.
2: What happens if a user signs in via Okta but doesn’t provision a DreamFactory user account?
Typically, DreamFactory maps the incoming SAML assertion (e.g., the email address) to an existing user record or can auto-create one depending on your configuration. If no mapping or auto-creation is configured, login could fail. Ensure your SAML service and DreamFactory role configuration align to allow the user access.
3: How do I revoke access if a user should no longer use Okta to access DreamFactory?
You can remove the user’s assignment in Okta (so they cannot initiate SSO) and/or disable the user’s role or API key in DreamFactory. Because access is ultimately governed by the JWT token and role/API-key permissions, controlling these two ends ensures revoked access.
Conclusion
Integrating Okta with DreamFactory using SAML 2.0 gives you enterprise-grade SSO and centralized identity management, while still leveraging the power and flexibility of DreamFactory’s API platform. With just a few steps — app creation in Okta + role/API-key/service creation in DreamFactory — you’re rolling out a seamless login experience for your users.