> ## Documentation Index
> Fetch the complete documentation index at: https://learn.getodin.ai/llms.txt
> Use this file to discover all available pages before exploring further.
# Okta Single Sign-On (SSO)
> Configure SSO Authentication With Okta
This article provides a detailed guide on configuring Single Sign-On (SSO) using Okta as your identity provider. By integrating Okta with Odin AI, your organization can streamline user authentication, allowing employees to access the platform using their existing Okta credentials. You will learn the prerequisites, step-by-step configuration instructions, and troubleshooting tips specifically for Okta SSO.
Using Okta SSO offers several advantages:
* **Centralized Authentication** - One login for all enterprise applications.
* **Enhanced Security** - Organization-controlled access.
* **User Management** - Centralized user provisioning and deprovisioning.
* **Compliance** - Meets enterprise security requirements.
* **User Experience** - Seamless authentication experience.
## Okta SSO Configuration
In this section, you will find the necessary steps to configure Okta SSO for your Odin AI instance.
### Prerequisites
Before you begin, ensure you have:
* Okta administrator access.
* Your Odin AI instance URL.
### Step 1: Okta Application Setup
1. **Log in to Okta Admin Console**\
Visit your Okta admin console and navigate to **Applications** > **Applications**.
2. **Create New Application**\
Click **Create App Integration**, select **SAML 2.0** as the sign-in method, and click **Next**.
3. **Configure General Settings**\
Enter an app name (e.g., "Odin AI"), upload the Odin AI logo if desired, and click **Next**.
4. **Configure SAML Settings**\
In the **SAML Settings** section, enter the following (for Odin AI Cloud use the URLs below):
* **Single Sign On URL**: `https://api.getodin.ai/user/okta/sso/saml/acs/admin`
* **Recipient URL**: `https://api.getodin.ai/user/okta/sso/saml/acs/admin`
* **Destination URL**: `https://api.getodin.ai/user/okta/sso/saml/acs/admin`
* **Audience Restriction**: `https://api.getodin.ai/user/okta/sso/saml/acs/admin`
* **Default Relay State**: `default`
Also set **Name ID format** to `EmailAddress`, **Application username** to `Email`, and **Update application username on** to `Create and update`.
5. **Attribute Statements** (Optional)\
Add attribute mappings as needed (e.g. `email` → `user.email`, `firstName` → `user.firstName`, `lastName` → `user.lastName`).
**How to add attribute statements**
1. In Okta, go to **Applications** > **Your App**.
2. Click the **General** tab > **SAML Settings** > **Edit**.
3. Open the **Configure SAML** section.
4. Scroll to **Attribute Statements** (where you add email, firstName, lastName).
5. Click **Add Another** to add more attributes.
**Adding custom user attributes to SAML (optional)**
To send custom attributes (e.g. `userTags`) in the SAML assertion:
**1. Create the attribute in Okta**
* Go to **Directory** → **Profile Editor** → **User (default)**.
* Click **Add Attribute**.
* Set **Variable name** (e.g. `userTags`) — use camelCase, no spaces.
* Set **Data type**: string (single value) or string array (multiple values).
* Click **Save**.
**2. Assign values to all users (required)**
* Go to **Directory** → **People** → select a user.
* Click **Edit** on their profile.
* Fill in the custom attribute field with a value.
* Click **Save**.
* Repeat for every user who will use SSO.
Okta only sends attributes that have values; empty fields are not included in the SAML response.
**3. Map the attribute in your SAML app**
* Go to **Applications** → \[Your SAML App] → **SAML Settings** → **Edit**.
* In **Attribute Statements**, click **Add Another** and add:
* **Name**: `userTags` (or your attribute name).
* **Value**: `user.userTags` (must match the variable name from step 1).
* Click **Save**.
6. **Group Attribute Statements** (Optional)\
Configure group mappings if needed.
7. **Feedback** (Optional)\
Select feedback options and click **Finish**.
### Step 2: Get Okta Configuration
**Get the Metadata URL**\
Log in to Okta as an admin, go to **Applications** → \[Your App] → **Sign On** tab. Then go to **Settings** → **SAML 2.0** → **Metadata details** → **Metadata URL**. Copy the URL (use the Copy button).
### Step 3: Submit Configuration to Odin AI
Odin AI's support team will configure and test your SSO setup. Please provide the following information:
1. **Send Configuration Details**\
Email [**Support**](mailto:support@getodin.ai) with the following information:
* **Provider**: Okta
* **Enterprise ID**: Your organization's domain (e.g., `company.com`)
* **Metadata URL**: The Okta metadata URL from Step 2
* **SSO Sign-In Only** (Optional): Specify if you want to require SSO for all users with this domain.
2. **Odin AI Configuration**\
Odin AI's support team will configure SSO on your instance and test the connection. You will be notified once configuration is complete.
3. **Testing**\
Odin AI's team will test the SSO connection, and you may be asked to verify that it works. Once confirmed, SSO will be enabled for your organization.
### Troubleshooting Okta SSO
In this section, you will find common issues and solutions related to Okta SSO.
**Issue**: Redirect loop or authentication failure\
**Solutions**:
* Verify the Single Sign On URL, Recipient URL, Destination URL, and Audience Restriction all match `https://api.getodin.ai/user/okta/sso/saml/acs/admin`.
* Ensure Default Relay State is set to `default`.
* Ensure Name ID format is set to EmailAddress.
* Verify metadata URL is accessible.
* Check that the Okta application is active.
**Issue**: User not found after SSO login\
**Solutions**:
* Verify email attribute mapping in Okta.
* Check that the user exists in Odin AI.
* Ensure user provisioning is configured.
* Verify enterprise ID matches the email domain.
## Contact
For SSO configuration questions or issues, contact [Support](mailto:support@getodin.ai).