Meta Work Accounts enable organizations to separate personal and professional accounts on the Meta platform, specifically Facebook, Instagram, and WhatsApp.
By integrating Okta as your identity provider (IdP) for your Meta Work Accounts, you can manage employee access to Meta, increasing the security of your accounts and eliminating the need for employees to remember and manage multiple personal login credentials across different applications.
This document contains the steps to configure single sign-on (SSO) authentication using a Security Assertion Markup Language (SAML) integration and automatic user provisioning using the System for Cross-domain Identity Management (SCIM) specification between Meta and Okta via Meta Work Accounts.
IMPORTANT: Meta for Work, released in July 2023 for beta testing, is being transitioned by some organizations to replace personal Facebook profiles as the default login for Meta Business Manager.
Note that this feature is currently available to select customers only. For more information or to inquire about eligibility, please contact your Meta support representative.
Requirements
The following are the requirements to configure the integration between Okta and Meta:
An Okta admin with Application Administrator permissions (at least)
A Meta Business Manager admin
A Meta Work Accounts IT setup manager
Identify a Migration team, if needed, for the necessary task delegation
Make sure you abide by all the requirements for the environment you’re working on, according to the IT settings tasks to complete before your managed Meta accounts migration in Business Manager guide
Prepare the Meta environment following the Overview of managed Meta accounts setup and migration in Business Manager guide.
Sign up your organization for managed Meta accounts following the Launch the migration to managed Meta accounts in Business Manager guide.
IMPORTANT: You must have the IT Setup Manager permissions provided by the Migration Manager or Owner.
Configure the Okta integration for Meta Work Accounts
To configure the Okta integration for Meta Work Accounts, you must complete the following main steps:
The following sections describe each main step.
1. Configure Meta Work Accounts
To configure the Meta Work Accounts, you must complete the following steps:
Complete the account configuration, such as setting up the password, date of birth, and multi-factor authentication (MFA), after signing up your organization for Meta Work Accounts.
Log in to the Meta Business Admin Center. The Business settings page is displayed.
Click the Verify domain button to verify your business domain. A verification method dialog box is displayed.
Select the Email verification (Immediate) option to verify the domain ownership, as shown in Figure 1.
Figure 1. Verification method dialog box
Select the email address previously registered to receive a verification code.
Enter the verification code.
Click the Verify button. The dialog box closes.
TIP: Leave the browser tab with the Meta Business Admin Center open because you need it later.
The next step is to configure the Okta integration.
2. Add and configure the Meta Work Accounts app in Okta
To add and configure the Meta Work Accounts app in Okta, you must complete the following steps:
Log in to the Okta Admin Console of your organization in a new browser tab.
Select the Applications option from the Applications drop-down list located in the left navigation drawer. The Applications page is displayed.
Search for the Meta Work Accounts app by performing the following actions:
Click the Browse App Catalog button. The Browse App Integration Catalog page is displayed.
Enter Meta Work Accounts in the search bar. A list of apps is displayed below the search bar.
Select the Meta Work Accounts option from the list. The Meta Work Accounts integration page is displayed.
Click the Add Integration button. The Add Meta Work Accounts page is displayed with the General Settings tab activated.
Enter your application name in the Application label field, as shown in Figure 2.
Figure 2. General Settings tab of the Add Meta Work Accounts page
Click the Done button. The Meta Work Accounts app page is displayed with the Assignments tab activated.
TIP: Leave this browser tab open because you need it to configure SSO authentication and automatic user provisioning in Meta.
The next step is to configure SSO authentication in Meta and Okta.
3. Configure SSO in Meta and Okta
To configure SSO authentication in Okta, you must complete the following steps:
Retrieve the corresponding URL values from Meta by performing the following actions:
Go to the tab where you left open the Meta Business Admin Center.
Select the Security option from the left navigation drawer. The Security view is displayed.
Select the Single sign-on option from the left menu. The Single sign-on (SSO) page is displayed.
Click the Add IdP button. The Add IdP page is displayed with the following values that you must copy to enter them in Okta, as shown in Figure 3:
Audience URL
ACS (Assertion Consumer Service) URL
Figure 3. Add IdP page in the Security view of your Meta Business Admin Center
TIP: Leave this browser tab open because you need it to copy each value.
Enter the URL values in the Meta Work Accounts app in Okta by performing the following actions:
Switch to the browser tab you left open with the Meta Work Accounts app page in Okta.
Activate the Sign On tab. The Settings section is displayed.
Click the Edit button located at the top right of the Settings section. Multiple input fields are displayed below.
Paste the URL values that you copied from the Meta Business Admin Center in the corresponding fields:
Audience URL
ACS (Assertion Consumer Service) URL
Click the Save button. A success message is displayed, and the changes are saved.
Click the More details button from the SAML 2.0 section. The following values are displayed for you to copy and enter in the Meta Business Admin Center, as shown in Figure 4:
Sign on URL
Issuer
Signing Certificate
Figure 4. SAML 2.0 section in the Sign On tab of your Meta Work Accounts app in Okta
TIP: Leave this browser tab open because you need it to copy each value.
Enter the corresponding information and SAML URL values in the Add your IdP's SSO metadata section of the Add IdP page of your Meta Business Admin Center by performing the following actions:
Click the I’ve added the metadata button.
Enter a name for your SSO setup in the Name your SSO setup field.
Paste the Sign on URL value that you copied from Okta in the SAML URL field.
Paste the Issuer value that you copied from Okta in the SAML Issuer URL field.
Paste the Signing Certificate value that you copied from Okta in the SAML Certificate field.
Test the SSO setup in your Meta Business Admin Center by performing the following actions:
Click the Validate IdP metadata button.
Enter an email address in the text field that is displayed.
Click the Test SSO option. A new browser tab is displayed.
Log in to your Okta account in the new browser tab to verify the SSO authentication if you don’t have an active session. The SSO test complete pop-up window is displayed, as shown in Figure 5.
Figure 5. Success message pop-up window for the SSO test
Assign your business email domains for logging in with SSO authentication in your Meta Business Admin Center by performing the following actions:
Switch to the browser tab you left open with the Meta Work Accounts app page.
Click the Check result button. The Assign email domains section is displayed.
Enter your domain in the Assign domains to “Okta SSO” field.
Enter All newly verified domains in the Unassigned domains field, as shown in Figure 6.
Figure 6. Assign email domains section of the Add IdP page in the Security view of your Meta Business Admin Center
Click the Activate SSO button to turn on SSO authentication.
IMPORTANT: The application you’ve created must be assigned to the active users of Meta Work Accounts before activating the SSO authentication. If the configuration is not done correctly, it could potentially lock you out from Meta. Upon assignment, the username requested by the application must match the email address of the admins configuring the Meta Business Manager.
NOTE: For more information about the SSO configuration in Meta and Okta, read the Enable single sign-on for your organization’s managed Meta accounts in Admin Center and How to Configure SAML 2.0 for Workplace by Facebook official documentation.
The next step is to configure automatic user provisioning in Okta.
4. Configure automatic user provisioning in Okta
To configure automatic user provisioning in Okta, you must complete the following steps:
Switch to the browser tab you left open with the Meta Work Accounts app page in Okta.
Activate the Provisioning tab.
Click the Configure API integration button. The Enable API integration option is displayed.
Select the Enable API integration option. An informational message box and a button are displayed, as shown in Figure 7.
Figure 7. Enable API integration option in the Provisioning tab of the Meta Work Accounts app in Okta
Click the Authenticate with Meta Work Accounts button. The Meta pop-up window with your Meta Work Accounts organization is displayed.
Click the Add to Work Accounts button.
Log in to Meta Work Accounts using your admin credentials to allow Okta to use the API on your behalf.
IMPORTANT: You must be a Meta IT Setup Manager or Meta Business Manager to test the API integration.
Click the Save button after configuring your new application.
Close the pop-up window.
Click the Test API Credentials button after Okta obtains the access token and the Meta Work window closes.
Click the Save button.
Select the To App option from the left panel of the Provisioning tab.
Select the following options from the Provisioning to App section, as shown in Figure 8:
Create Users
Update User Attributes
Deactivate Users
Figure 8. Provisioning to App section in the Provisioning tab of the Meta Work Accounts app in Okta
Click the Save button.
NOTE: For more information about the automatic user provisioning configuration, read the integration guide Meta Work Accounts from the Okta official documentation.
Now you are done. You have enabled SSO authentication and automatic user provisioning of Meta Work Accounts with Okta.