> ## Documentation Index > Fetch the complete documentation index at: https://docs.blinkops.com/llms.txt > Use this file to discover all available pages before exploring further. # Configuring a SAML application on Okta > Instructions on how to configure a SAML SSO application with Okta. Log in to Okta, go to the admin dashboard, and select "Applications" in the navigation panel. Select "Create App Integration".

Select "SAML 2.0" and click 'Next'.

Enter an "App Name" and click Next.

Please note that the **IdP-Initiated Login URL**, **Service Provider ID (SP Entity ID)**, **Service Provider Login URL (SSO URL)** and **Service Provider Logout URL (SLO URL)** can be located within the SAML tab under the Account Management Settings section within the Blink Platform. **IdP-Initiated Login URL** : Please look in the Account Management Settings section within the Blink Platform to find your unique **IdP-Initiated Login URL**. **Service Provider ID (SP Entity ID)** : urn:amazon:cognito:sp:us-east-1\_Nu63sypSS **Service Provider Login URL (SSO URL)** : `https://cognito.blinkops.com/saml2/idpresponse` **Service Provider Logout URL (SLO URL)** : `https://cognito.blinkops.com/saml2/logout`

**Please Note** users who use on-premise deployment, please **do not** use the above values to complete the **Create SAML Integration** section of the Okta application, instead you should login to your **own** on-premise deployment app and use the unique values provided in the **SAML** tab under the **Account Management Settings**. Using the unique **IdP-Initiated Login URL** available in the SAML tab under the Account Management Settings section within the Blink Platform, proceed to the **Create SAML Integration** section of the application and copy and paste the URL value in the **Single Sign-On URL** text field. Then copy and paste the **Service Provider Login URL (SSO URL)** value in **both** the **Recipient URL** text field and the **Destination URL** text field. Lastly copy and paste the **Service Provider ID (SP Entity ID)** value in the **Audience URI (SP Entity ID)** text field.

Scroll down to the “Attribute Statements” section and add the following key-value pairs, and then click Next.

Then scroll down to the "Group Attribute Statement" section and fill out the following fields like portrayed in the following image: The error message in the image indicates: **"Invalid SAML response received: The value of the attribute custom:groups must have a length less than or equal to 2048 characters."**

### Cause of the Error: This error occurs because the **SAML response from the client's Identity Provider (IdP)** includes a `custom:groups` attribute whose **total character length exceeds AWS Cognito's 2048-character limit** for string attributes. In this specific case: * The client configured **group mapping using a wildcard**, which sends **all the user's group memberships** via SAML. * As a result, Cognito receives a very long string of group names combined, pushing the total value over the 2048-character limit. * Cognito then **rejects the login attempt**, since it cannot store or process that oversized attribute. *** ### Recommended Solution: To fix this, **stop using wildcard group mapping** and instead implement **manual group mapping** in the IdP SAML configuration. #### What to do: * The client should **explicitly map only the relevant groups** required by Blink, such as: * `Blink Builders` * `Blink Users` * `Blink Admins` * This will **limit the number and size** of the groups included in the SAML assertion, ensuring the `custom:groups` attribute stays within Cognito’s size constraints. Using wildcards (e.g., `*`) sends **all** group memberships, including unrelated or nested ones. This makes it unpredictable and highly prone to exceeding limits,especially in large organizations. This change needs to be made **in the client’s IdP application settings**, not in Blink or Cognito itself.

Then head to the **SAML** tab under the **Account Management Settings** section within the Blink Platform and click the [Role Mapping](/docs/blink-platform/account-management/identity-providers/identity-providers#role-mapping) section and select the applicable values. When a user belongs to multiple Okta groups, Blink resolves role assignment in SAML SSO using a **top-down priority order** based on the `Group:Role` mapping table. The first matching group in the list determines the assigned role. Please note that in the **Mapping** section, at least one mapping role must be designated as an **admin** with administrative privileges. Additionally, the user configuring the group must be a part of the group mapped to the **Admin** role. Otherwise you won't be able to operate as an administrator in your account or access and edit the role mapping again.

Select “I’m an Okta customer adding an internal app” from the options menu, and then click Finish.

To give users permission to authenticate via this SAML app, you will need to assign users or groups. Click on the "Assignments" tab and assign the users or groups you require.

Click on the "Sign On" tab and scroll down to the "SAML Signing Certificates".

Click on "View SAML setup instructions".

Next, under the **Optional** section at the bottom, copy the **IDP metadata** values.

Next, navigate to the **SAML** section found within the SAML tab in the Account Management Settings. Paste the **IDP metadata** values into the designated text field labeled 'Metadata File'.