How to create a new SAML connection using the management API?

I want to create a new SAMLP connection using the management API. This aspect is poorly documented. It is unclear how to attach the signingCertificate to the connection using rest API. This is what I try to post:

{ "name": "test", "strategy": "samlp", "options": { "domain_aliases": ], "signInEndpoint": "https://someurl", "signingCert": "base64_cert", }, "enabled_clients":  "xxx" ] }

I get the following error:

{"statusCode":400,"error":"Bad Request","message":"The signing certificate is not valid. Please provide a .pem or .cer certificate base64 encoded public key","errorCode":"invalid_body"} 

In general the whole aspect of creating a connection using the API is poorly documented. Please improve it and provide samples for all the different strategies

1 Like

Thanks for the feedback, I can confirm that the lack of detailed documentation for individual properties in each type of connection options is something that is already being tracked so that it can be addressed.

In relation to the error in question, the signingCert needs to be provided in a base64 encoding, more specifically, if you have a *.pem encoded certificate file you can open it to find something like:


You would then encode the above data (including the BEGIN/END markers in Base64 and use that as the value for the signingCert property.

Can you, by any chance, post all the supported properties for samlp here?


Here is the solution which is confirmed here .

  "options": {
    "cert": "-----BEGIN CERTIFICATE——your-certificate——END CERTIFICATE-----\n",
    "debug": true,
    "expires": "2031-09-09T19:24:22.000Z",
    "subject": {
      "commonName": "dev-39112510",
      "countryName": "US",
      "emailAddress": "",
      "localityName": "San Francisco",
      "organizationName": "Okta",
      "stateOrProvinceName": "California",
      "organizationalUnitName": "SSOProvider"
    "metadataUrl": “you-metadata-url”,
    "signingCert": "",
    "thumbprints": [
    "bindingMethod": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
    "disableSignout": false,
    "signInEndpoint": "you-signin-endpoint”,
    "digestAlgorithm": "sha1",
    "protocolBinding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
    "signOutEndpoint": null,
    "signSAMLRequest": false,
    "user_id_attribute": "”,
    "signatureAlgorithm": "rsa-sha256"
  "strategy": "samlp",
  "name": "okta-test2",
  "is_domain_connection": false,
  "show_as_button": false,
  "enabled_clients": []