💡 Heads-up: SSO is enforced per organization. After we enable SSO for your organization, sign-in becomes SSO-only. The only exception is the organization owner, who retains previous login methods to avoid being locked out.
Existing users are deleted or unlinked from your workspaces.
From then on, you can invite only users managed through your company's SSO provider (in this case, Okta).
What you’ll do in Okta (Steps 1–6)
Step 1 — Create a new app integration
In Okta Admin Console, go to Applications.
Click Create App Integration.
Step 2 — Choose SAML 2.0
Select SAML 2.0, then Next.
Step 3 — General settings
Give the app a recognizable name (e.g., Certifier).
Logo is optional, but here is one for your convenience:
Click Next.
Step 4 — SAML settings (important)
Fill in exactly:
Single sign-on URL (ACS):
https://auth.certifier.io/saml2/idpresponse
Audience URI (SP Entity ID):
urn:amazon:cognito:sp:eu-west-1_OetDJugrc
Default RelayState: (leave empty)
Name ID format:
EmailAddress
Application username:
Email
Update application username on:
Create and update
Add these Attribute Statements:
Name | Name format | Value |
| Basic |
|
| Basic |
|
| Basic |
|
Click Next at the bottom of the page.
Step 5 — Finish the setup
Check “It’s required to contact the vendor to enable SAML” box.
You can paste the link to this article in the “Did you find SAML docs for this app?” input.
Click Finish.
Step 6 — Get your IdP metadata URL
After saving, go to Applications → Certifier (or the name you chose for the app) → Sign On tab → SAML Signing Certificates → Metadata URL. Copy the IdP metadata URL.
Step 7 — Send us your SAML metadata
Send the SAML metadata URL (or the XML itself) to Certifier Support. We’ll take it from here.
What we (Certifier) do next
Step 8 — Certifier completes the setup
Once we receive your SAML metadata, our team finishes the configuration on our side. No further action needed from you. We’ll notify you as soon as it’s ready and share next steps.
Inviting & signing in
Step 9 — Invites in Certifier
Before inviting anyone into Certifier, assign them to the newly created app in Okta. One way to do this is through the Assignments tab in the app settings (Assignments → Assign → People/Groups).
⚠️ Don’t forget: Users should be assigned in Okta before you invite them as team members in Certifier.
Only SSO users can be invited to SSO-enforced orgs.
Step 10 — User sign-in flow
Users will be able to sign in via Sign In with SSO in Certifier app login screen:
Click Continue with SSO to open your company’s login page. After you sign in, you’ll return to Certifier already signed in.
And we're done!
Quick reference (copy/paste)
Okta → SAML Settings
Single sign-on URL (ACS): <https://auth.certifier.io/saml2/idpresponse> Audience URI (SP Entity ID): urn:amazon:cognito:sp:eu-west-1_OetDJugrc Default RelayState: (empty) Name ID format: EmailAddress Application username: Email Update application username on: Create and update
Okta → Attribute Statements
email = user.email firstName = user.firstName lastName = user.lastName
What to send to Certifier Support
IdP Metadata URL (or metadata XML)
Troubleshooting tips
Users cannot log in to Certifier? Confirm they’re assigned to the Certifier app in Okta.
NameID/email mismatch? Ensure Name ID format = EmailAddress and Application username = Email.
First name/last name missing? Verify the Attribute Statements above.