Skip to main content

SSO with Okta

This guide explains how to set up Single Sign-On (SSO) with Okta in Certifier.

Caroline Tyrko avatar
Written by Caroline Tyrko
Updated this week

💡 Heads-up: SSO is enforced per organization. After we enable SSO for your organization, sign-in becomes SSO-only. The only exception is the organization owner, who retains previous login methods to avoid being locked out.

Existing users are deleted or unlinked from your workspaces.

From then on, you can invite only users managed through your company's SSO provider (in this case, Okta).


What you’ll do in Okta (Steps 1–6)

Step 1 — Create a new app integration

  1. In Okta Admin Console, go to Applications.

  2. Click Create App Integration.

Step 2 — Choose SAML 2.0

Select SAML 2.0, then Next.

Step 3 — General settings

Give the app a recognizable name (e.g., Certifier).

Logo is optional, but here is one for your convenience:

Click Next.

Step 4 — SAML settings (important)

Fill in exactly:

  • Single sign-on URL (ACS): https://auth.certifier.io/saml2/idpresponse

  • Audience URI (SP Entity ID): urn:amazon:cognito:sp:eu-west-1_OetDJugrc

  • Default RelayState: (leave empty)

  • Name ID format: EmailAddress

  • Application username: Email

  • Update application username on: Create and update

Add these Attribute Statements:

Name

Name format

Value

email

Basic

user.email

firstName

Basic

user.firstName

lastName

Basic

user.lastName

Click Next at the bottom of the page.

Step 5 — Finish the setup

Check “It’s required to contact the vendor to enable SAML” box.

You can paste the link to this article in the “Did you find SAML docs for this app?” input.

Click Finish.

Step 6 — Get your IdP metadata URL

After saving, go to ApplicationsCertifier (or the name you chose for the app) → Sign On tab → SAML Signing CertificatesMetadata URL. Copy the IdP metadata URL.

Step 7 — Send us your SAML metadata

Send the SAML metadata URL (or the XML itself) to Certifier Support. We’ll take it from here.


What we (Certifier) do next

Step 8 — Certifier completes the setup

Once we receive your SAML metadata, our team finishes the configuration on our side. No further action needed from you. We’ll notify you as soon as it’s ready and share next steps.


Inviting & signing in

Step 9 — Invites in Certifier

Before inviting anyone into Certifier, assign them to the newly created app in Okta. One way to do this is through the Assignments tab in the app settings (Assignments → Assign → People/Groups).

⚠️ Don’t forget: Users should be assigned in Okta before you invite them as team members in Certifier.

Only SSO users can be invited to SSO-enforced orgs.

Step 10 — User sign-in flow

Users will be able to sign in via Sign In with SSO in Certifier app login screen:

Click Continue with SSO to open your company’s login page. After you sign in, you’ll return to Certifier already signed in.

And we're done!


Quick reference (copy/paste)

Okta → SAML Settings

Single sign-on URL (ACS): <https://auth.certifier.io/saml2/idpresponse> Audience URI (SP Entity ID): urn:amazon:cognito:sp:eu-west-1_OetDJugrc Default RelayState: (empty) Name ID format: EmailAddress Application username: Email Update application username on: Create and update

Okta → Attribute Statements

email     = user.email firstName = user.firstName lastName  = user.lastName

What to send to Certifier Support

  • IdP Metadata URL (or metadata XML)


Troubleshooting tips

  • Users cannot log in to Certifier? Confirm they’re assigned to the Certifier app in Okta.

  • NameID/email mismatch? Ensure Name ID format = EmailAddress and Application username = Email.

  • First name/last name missing? Verify the Attribute Statements above.

Did this answer your question?