Skip to main content
This article provides a detailed guide on configuring Single Sign-On (SSO) using Okta as your identity provider. By integrating Okta with EKB, your organization can streamline user authentication, allowing employees to access the platform using their existing Okta credentials. You will learn the prerequisites, step-by-step configuration instructions, and troubleshooting tips specifically for Okta SSO. Using Okta SSO offers several advantages:
  • Centralized Authentication - One login for all enterprise applications.
  • Enhanced Security - Organization-controlled access.
  • User Management - Centralized user provisioning and deprovisioning.
  • Compliance - Meets enterprise security requirements.
  • User Experience - Seamless authentication experience.

Okta SSO Configuration

In this section, you will find the necessary steps to configure Okta SSO for your EKB instance.

Prerequisites

Before you begin, ensure you have:
  • Okta administrator access.
  • Your EKB instance URL.

Step 1: Okta Application Setup

  1. Log in to Okta Admin Console
    Visit your Okta admin console and navigate to Applications > Applications.
  2. Create New Application
    Click Create App Integration, select SAML 2.0 as the sign-in method, and click Next.
  3. Configure General Settings
    Enter an app name (e.g., “EKB”), upload the EKB logo if desired, and click Next.
  4. Configure SAML Settings
    In the SAML Settings section, enter the following (for EKB Cloud use the URLs below):
    • Single Sign On URL: https://api.getodin.ai/user/okta/sso/saml/acs/admin
    • Recipient URL: https://api.getodin.ai/user/okta/sso/saml/acs/admin
    • Destination URL: https://api.getodin.ai/user/okta/sso/saml/acs/admin
    • Audience Restriction: https://api.getodin.ai/user/okta/sso/saml/acs/admin
    • Default Relay State: default
    Also set Name ID format to EmailAddress, Application username to Email, and Update application username on to Create and update. Okta SAML Settings
  5. Attribute Statements (Optional)
    Add attribute mappings as needed (e.g. emailuser.email, firstNameuser.firstName, lastNameuser.lastName).     How to add attribute statements
    1. In Okta, go to Applications > Your App.
    2. Click the General tab > SAML Settings > Edit.
    3. Open the Configure SAML section.
    4. Scroll to Attribute Statements (where you add email, firstName, lastName).
    5. Click Add Another to add more attributes.
    Okta Attribute Statements Adding custom user attributes to SAML (optional) To send custom attributes (e.g. userTags) in the SAML assertion: 1. Create the attribute in Okta
    • Go to DirectoryProfile EditorUser (default).
    • Click Add Attribute.
    • Set Variable name (e.g. userTags) — use camelCase, no spaces.
    • Set Data type: string (single value) or string array (multiple values).
    • Click Save.
    2. Assign values to all users (required)
    • Go to DirectoryPeople → select a user.
    • Click Edit on their profile.
    • Fill in the custom attribute field with a value.
    • Click Save.
    • Repeat for every user who will use SSO.
    Okta only sends attributes that have values; empty fields are not included in the SAML response. 3. Map the attribute in your SAML app
    • Go to Applications → [Your SAML App] → SAML SettingsEdit.
    • In Attribute Statements, click Add Another and add:
      • Name: userTags (or your attribute name).
      • Value: user.userTags (must match the variable name from step 1).
    • Click Save.
  6. Group Attribute Statements (Optional)
    Configure group mappings if needed.
  7. Feedback (Optional)
    Select feedback options and click Finish.

Step 2: Get Okta Configuration

Get the Metadata URL
Log in to Okta as an admin, go to Applications → [Your App] → Sign On tab. Then go to SettingsSAML 2.0Metadata detailsMetadata URL. Copy the URL (use the Copy button). Okta Sign On – Metadata URL

Step 3: Submit Configuration to EKB

EKB’s support team will configure and test your SSO setup. Please provide the following information:
  1. Send Configuration Details
    Email Support with the following information:
    • Provider: Okta
    • Enterprise ID: Your organization’s domain (e.g., company.com)
    • Metadata URL: The Okta metadata URL from Step 2
    • SSO Sign-In Only (Optional): Specify if you want to require SSO for all users with this domain.
  2. EKB Configuration
    EKB’s support team will configure SSO on your instance and test the connection. You will be notified once configuration is complete.
  3. Testing
    EKB’s team will test the SSO connection, and you may be asked to verify that it works. Once confirmed, SSO will be enabled for your organization.

Troubleshooting Okta SSO

In this section, you will find common issues and solutions related to Okta SSO. Issue: Redirect loop or authentication failure
Solutions:
  • Verify the Single Sign On URL, Recipient URL, Destination URL, and Audience Restriction all match https://api.getodin.ai/user/okta/sso/saml/acs/admin.
  • Ensure Default Relay State is set to default.
  • Ensure Name ID format is set to EmailAddress.
  • Verify metadata URL is accessible.
  • Check that the Okta application is active.
Issue: User not found after SSO login
Solutions:
  • Verify email attribute mapping in Okta.
  • Check that the user exists in EKB.
  • Ensure user provisioning is configured.
  • Verify enterprise ID matches the email domain.

Contact

For SSO configuration questions or issues, contact Support.