This article explains how to set up single sign-on (SSO) for Proton VPN using Okta as your Security Assertion Markup Language (SAML) 2.0 as your identity provider (IdP).

Prerequisites

To get started, you need the following items:

• An Okta admin account
• A Proton VPN for Business or Proton VPN Enterprise plan with administrator privileges

Supported features

• IdP-initiated SSO
• Service provider (SP) initiated SSO

The SP-initiated SSO URL is https://account.proton.me/vpn. For more information on the listed features, visit the Okta Glossary.

Configuration steps

1. Log in to your Proton VPN administrator account at account.protonvpn.com and go to Single sign-on → SAML authentication → Configure SAML. 

2. Add the domain name you used on Okta and click Add domain. Note: The domain needs to be verified. See our explainer on adding DNS records to learn more.

3. Log in to your Okta admin portal and go to Applications → Browse App Catalog.

4. Search for Proton and click the Add Integration button.

5. Go to the Sign On tab → Metadata details → Metadata URL → Copy.

6. Log in to your Proton VPN for Business administrator account at account.protonvpn.com and go to Single sign-on → SAML authentication → Configure SAML. 

7. Ensure Method for importing metadata → URL is selected, and in the Metadata URL for Proton VPN field , paste in the metadata URL you copied from Okta (step 5). Click Done when you’re ready.

8. Copy the Sign on URL from Okta and paste it into the SSO URL field on the Proton VPN SAML configuration page.

Copy the Issuer from Okta and paste it into the Single sign-on entity ID field on the Proton VPN SAML configuration page.

Copy or download the Signing Certificate from Okta and paste the content into the Public certificate (X.509) field on the Proton VPN SAML configuration page.

Assign users / groups and test the integration.

In Okta, under the Proton app, click the Assignments tab.

Assign any users or groups you would like to have access to Proton.

You can test the IdP-initiated flow by navigating to your end user dashboard in Okta and clicking on the newly created Proton application.

You can test the SP-initiated flow by navigating to https://account.proton.me/vpn and providing your Okta-associated email address.

Troubleshooting

1. If there is an error in the single sign-on configuration, please contact your organization administrator.
   1. Please confirm that the certificate you uploaded on the Proton VPN SAML configuration page matches the one provided by the Okta IdP.
   2. Please confirm that the Single sign-on entity ID on the Proton VPN SAML configuration page is the same as the Issuer.