> ## Documentation Index
> Fetch the complete documentation index at: https://www.truefoundry.com/llms.txt
> Use this file to discover all available pages before exploring further.

# SAML with Okta

> Configure SAML 2.0 single sign-on between TrueFoundry and Okta.

This guide walks you through setting up SAML 2.0 single sign-on between TrueFoundry and Okta. Once finished, members of your Okta tenant can sign in to TrueFoundry through a **Login with Okta** button.

## Prerequisites

* A TrueFoundry tenant with **Admin** access to **Settings → Security & Access → SSO**.
* An Okta Workforce Identity Cloud tenant with permission to create new **Applications** (Super Admin or App Admin).

<Tip>
  You'll bounce between the **Okta admin console** and the **TrueFoundry SSO settings**. Keep both open in adjacent tabs to copy-paste values quickly.
</Tip>

## Configuration overview

<Steps>
  <Step title="Create the SSO configuration in TrueFoundry">
    Save a SAML SSO configuration in TrueFoundry to surface the **Single sign-on URL**, **Audience URI (SP Entity ID)**, and **Relay URL**.
  </Step>

  <Step title="Create a SAML 2.0 app integration in Okta">
    Register a custom SAML application in Okta that TrueFoundry will federate with.
  </Step>

  <Step title="Configure the SAML connection on both sides">
    Paste TrueFoundry's values into Okta, then paste Okta's IdP values back into TrueFoundry.
  </Step>

  <Step title="Assign users and test">
    Assign people or groups to the Okta application and sign in to verify.
  </Step>
</Steps>

## Step 1 — Create the SSO configuration in TrueFoundry

<Steps>
  <Step title="Open SSO settings">
    Go to **Settings → Security & Access → SSO**.

    Click the **+** icon labeled **Add New SSO Config**.

    <Frame caption="SSO page in TrueFoundry — click the + icon to add a new SSO configuration">
      <img src="https://mintcdn.com/truefoundry/OlEFjoHwZJ0edSjd/images/sso/entra/saml-truefoundry-add-sso-config.png?fit=max&auto=format&n=OlEFjoHwZJ0edSjd&q=85&s=f768205b84d9f33ce04a8b8576ab0070" alt="TrueFoundry SSO settings page with the Add New SSO Config plus button highlighted" width="1024" height="263" data-path="images/sso/entra/saml-truefoundry-add-sso-config.png" />
    </Frame>
  </Step>

  <Step title="Fill in the basic fields">
    * **Enabled**: turn this on.
    * **Name**: a lowercase alphanumeric label — for example, `oktasaml`.
    * **SSO Provider**: choose **Okta**.
    * **Authentication Configuration**: select **SAML v2**.

    Leave **Identity Provider Endpoint** and **X.509 Certificate** blank for now — you'll fill them in once Okta surfaces those values.
  </Step>

  <Step title="Save to reveal the Single sign-on URL, Audience URI (SP Entity ID), and Relay URL">
    Click **Save**. TrueFoundry displays the values you need for Okta on the SSO configuration card:

    * **Single sign-on URL** in Okta — **Single Sign On URL** in TrueFoundry.
    * **Audience URI (SP Entity ID)** in Okta — **Audience URI (SP Entity ID)** in TrueFoundry.
    * **Default RelayState** in Okta *(optional)* — **Relay URL** in TrueFoundry.

    <Frame caption="TrueFoundry SSO configuration card showing the SAML values to copy into Okta">
      <img src="https://mintcdn.com/truefoundry/OlEFjoHwZJ0edSjd/images/sso/entra/saml-truefoundry-sp-metadata.png?fit=max&auto=format&n=OlEFjoHwZJ0edSjd&q=85&s=e061fae840c0fa4e8af3c4efe9961a2b" alt="TrueFoundry SSO configuration card displaying Audience URI, Single Sign On URL, Metadata URL, and Relay URL for SAML setup" width="1024" height="391" data-path="images/sso/entra/saml-truefoundry-sp-metadata.png" />
    </Frame>
  </Step>
</Steps>

## Step 2 — Create a SAML 2.0 application in Okta

<Steps>
  <Step title="Open the Okta admin console">
    Sign in to your Okta admin console (`https://<your-tenant>-admin.okta.com`) as an administrator.

    In the left navigation, expand **Applications → Applications** and click **Create App Integration**.

    <Frame caption="Expand Applications in the left nav of the Okta admin console.">
      <img src="https://mintcdn.com/truefoundry/Fxwu4IEtHCMFUlQ8/images/sso/okta/saml-step-1-a.png?fit=max&auto=format&n=Fxwu4IEtHCMFUlQ8&q=85&s=5d767fc19912005874c2427f6df51957" alt="Okta admin console dashboard with the Applications section highlighted in the left navigation" width="1500" height="938" data-path="images/sso/okta/saml-step-1-a.png" />
    </Frame>

    <Frame caption="Click Create App Integration on the Applications page.">
      <img src="https://mintcdn.com/truefoundry/Fxwu4IEtHCMFUlQ8/images/sso/okta/saml-step-1-b.png?fit=max&auto=format&n=Fxwu4IEtHCMFUlQ8&q=85&s=fc7bbbc0e4a184cfb448200ef3e06a92" alt="Okta Applications listing with the Create App Integration button highlighted" width="1500" height="938" data-path="images/sso/okta/saml-step-1-b.png" />
    </Frame>
  </Step>

  <Step title="Pick SAML 2.0">
    In the **Create a new app integration** dialog, select **SAML 2.0** and click **Next**.

    <Frame caption="Select SAML 2.0 in the Create a new app integration dialog.">
      <img src="https://mintcdn.com/truefoundry/Fxwu4IEtHCMFUlQ8/images/sso/okta/saml-step-1-c.png?fit=max&auto=format&n=Fxwu4IEtHCMFUlQ8&q=85&s=15b38e64965e82d197059dd4b998c9bf" alt="Okta Create a new app integration dialog with SAML 2.0 selected" width="1500" height="938" data-path="images/sso/okta/saml-step-1-c.png" />
    </Frame>
  </Step>

  <Step title="Name the application">
    On the **General Settings** step, give the application a name such as `TrueFoundry`. Optionally upload an app logo.

    Click **Next** to move on to the **Configure SAML** step.
  </Step>
</Steps>

## Step 3 — Enter TrueFoundry's details into Okta

On the **Configure SAML** step of the application you created in Step 2, fill in the **SAML Settings** card using the values from Step 1.

<Steps>
  <Step title="Configure SAML settings">
    On the **Configure SAML** step, fill in the **SAML Settings** section using the values from Step 1:

    | Okta field                      | Value from TrueFoundry          |
    | ------------------------------- | ------------------------------- |
    | **Single sign-on URL**          | **Single Sign On URL**          |
    | **Audience URI (SP Entity ID)** | **Audience URI (SP Entity ID)** |
    | **Default RelayState**          | **Relay URL**                   |

    Leave **Use this for Recipient URL and Destination URL** checked.

    Set **Name ID format** to **EmailAddress** and leave **Application username** at the default of **Okta username**.

    Click **Next**.

    <Frame caption="Configure SAML — paste TrueFoundry values and set Name ID format to EmailAddress">
      <img src="https://mintcdn.com/truefoundry/OlEFjoHwZJ0edSjd/images/sso/okta/saml-configure-saml.png?fit=max&auto=format&n=OlEFjoHwZJ0edSjd&q=85&s=c4f1041f4cfe6449252901bddbab3ef4" alt="Okta Configure SAML step showing Single sign-on URL, Audience URI, Default RelayState, and Name ID format set to EmailAddress" width="1024" height="741" data-path="images/sso/okta/saml-configure-saml.png" />
    </Frame>
  </Step>

  <Step title="Submit the feedback page">
    Okta requires a short feedback prompt. Select **I'm an Okta customer adding an internal app**, then scroll down and click **Finish**.
  </Step>

  <Step title="Add attribute statements">
    After the wizard completes, open your application and click the **Sign On** tab. Scroll to the **Attribute statements** section and click **Add expression** for each row below:

    | Name    | Expression           |
    | ------- | -------------------- |
    | `email` | `user.profile.email` |
    | `sub`   | `user.id`            |

    <Frame caption="Sign On tab — Attribute statements with email and sub expressions">
      <img src="https://mintcdn.com/truefoundry/OlEFjoHwZJ0edSjd/images/sso/okta/saml-attribute-statements.png?fit=max&auto=format&n=OlEFjoHwZJ0edSjd&q=85&s=0b92ac6ff503c5f3ad411573d01ebd59" alt="Okta Sign On tab Attribute statements section showing email mapped to user.profile.email and sub mapped to user.id" width="747" height="348" data-path="images/sso/okta/saml-attribute-statements.png" />
    </Frame>
  </Step>
</Steps>

## Step 4 — Copy Okta's details back to TrueFoundry

Okta drops you on the application detail page once the wizard completes.

<Steps>
  <Step title="Open View SAML setup instructions">
    On the application page, click the **Sign On** tab. In the right sidebar under **SAML Setup**, click **View SAML setup instructions**.

    <Frame caption="Sign On tab — click View SAML setup instructions in the SAML Setup sidebar">
      <img src="https://mintcdn.com/truefoundry/Fxwu4IEtHCMFUlQ8/images/sso/okta/saml-sign-on-view-setup.png?fit=max&auto=format&n=Fxwu4IEtHCMFUlQ8&q=85&s=71a52a40aba4b7d217d1a58600c0f9a2" alt="Okta Sign On tab with View SAML setup instructions button highlighted in the SAML Setup section on the right sidebar" width="1024" height="772" data-path="images/sso/okta/saml-sign-on-view-setup.png" />
    </Frame>
  </Step>

  <Step title="Copy the IdP URL and certificate">
    In the setup instructions panel, copy the values shown:

    * **Identity Provider Single Sign-On URL** — you'll paste this into TrueFoundry as the **Identity Provider Endpoint**.
    * **X.509 Certificate** — copy the full certificate from the text box, including the `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` lines. You can also use **Download certificate** and open the file in a text editor.

    <Frame caption="View SAML setup instructions — copy the SSO URL and X.509 certificate">
      <img src="https://mintcdn.com/truefoundry/OlEFjoHwZJ0edSjd/images/sso/okta/saml-setup-instructions.png?fit=max&auto=format&n=OlEFjoHwZJ0edSjd&q=85&s=d57591e87accda057af7f835b6ffff89" alt="Okta View SAML setup instructions panel showing Identity Provider Single Sign-On URL, Identity Provider Issuer, and X.509 Certificate" width="1024" height="710" data-path="images/sso/okta/saml-setup-instructions.png" />
    </Frame>
  </Step>

  <Step title="Paste into TrueFoundry">
    Return to **Settings → Security & Access → SSO** in TrueFoundry and edit the SSO configuration you created in Step 1. Set:

    * **Identity Provider Endpoint** → **Identity Provider Single Sign-On URL** from Okta.
    * **X.509 Certificate** → the certificate you copied from the setup instructions.

    Click **Save**.
  </Step>
</Steps>

## Step 5 — Assign people in Okta

Okta only lets users sign in to applications they've been explicitly assigned to.

<Steps>
  <Step title="Open Assignments">
    Inside your Okta application, click the **Assignments** tab and open the **Assign** dropdown.

    <Frame caption="Open the Assignments tab and choose Assign to People or Assign to Groups.">
      <img src="https://mintcdn.com/truefoundry/Fxwu4IEtHCMFUlQ8/images/sso/okta/saml-step-5-a.png?fit=max&auto=format&n=Fxwu4IEtHCMFUlQ8&q=85&s=b744df1bcb02818ce443ad682d006fc8" alt="Okta application Assignments tab with the Assign dropdown expanded showing Assign to People and Assign to Groups" width="1500" height="938" data-path="images/sso/okta/saml-step-5-a.png" />
    </Frame>
  </Step>

  <Step title="Pick people or groups">
    Choose **Assign to People** or **Assign to Groups**, select the users or groups that should have TrueFoundry access, and click **Assign** for each. When you're done, click **Done**.

    <Frame caption="Assign the relevant groups (or people) to the application and click Done.">
      <img src="https://mintcdn.com/truefoundry/Fxwu4IEtHCMFUlQ8/images/sso/okta/saml-step-5-b.png?fit=max&auto=format&n=Fxwu4IEtHCMFUlQ8&q=85&s=9a552075f9f4f84d0bf6ff3ed22b57cc" alt="Okta Assign to Groups dialog listing HR, Marketing, and Engineering with an Assign action next to each" width="1500" height="938" data-path="images/sso/okta/saml-step-5-b.png" />
    </Frame>

    <Tip>
      Prefer assigning **groups** when you can — it pairs well with [SCIM with Okta](/docs/platform/sso/okta/scim) for automated user lifecycle management.
    </Tip>
  </Step>
</Steps>

<Warning>
  Users who are not assigned to the Okta application will see an "app not assigned" error when they click **Login with Okta** in TrueFoundry.
</Warning>

## Step 6 — Test single sign-on

1. Open a private/incognito window and go to your TrueFoundry login page.
2. Click **Login with Okta** (or whichever label you set under **Show advanced fields → Button Text**).
3. Authenticate with an Okta user you assigned to the application.

If the sign-in succeeds you'll land in the TrueFoundry dashboard. The user is created automatically if [JIT provisioning](/docs/platform/user-management#user-provisioning) is on, otherwise they must already exist in TrueFoundry or be invited.

## Optional next steps

* **Automate user lifecycle with SCIM** — see [SCIM with Okta](/docs/platform/sso/okta/scim) to push users and groups from Okta into TrueFoundry automatically.
* **Use OIDC instead of SAML** — see [OIDC with Okta](/docs/platform/sso/okta/oidc) for the equivalent OpenID Connect flow.

## Troubleshooting

<AccordionGroup>
  <Accordion title="'App is not assigned to this user' when clicking the login button">
    The Okta user isn't assigned to your application. Go back to **Step 5** and assign them under **Assignments**.
  </Accordion>

  <Accordion title="'Invalid Signature' or 'Could not validate SAML response'">
    The certificate copied into TrueFoundry doesn't match Okta's active signing certificate. Open **Sign On → SAML Setup → View SAML setup instructions**, copy the **X.509 Certificate** again (or use **Download certificate**), and paste the full PEM (including the BEGIN/END lines) into TrueFoundry.
  </Accordion>

  <Accordion title="The Login button works but the user gets 'no matching user found'">
    Check the provisioning mode under **Settings → Security & Access → Provisioning**:

    * **Invite-only** — the user must be invited from **Access → Users** first.
    * **JIT** — the user is created on first login automatically.
    * **SCIM** — the user must be synced from your IdP first. See [SCIM with Okta](/docs/platform/sso/okta/scim).
  </Accordion>

  <Accordion title="Users sign in but email or unique ID is empty">
    Confirm **Name ID format** is set to **EmailAddress** and that **Attribute statements** on the **Sign On** tab includes `email` → `user.profile.email` and `sub` → `user.id` as described in Step 3. If you renamed attributes, expand **Show advanced fields** in TrueFoundry and set:

    * **Email Claim** → the attribute name you used for email (defaults to `email`).
    * **Unique ID Claim** → defaults to `sub`; on Okta the Name ID is typically the unique identifier, so you can usually leave this at the default.
  </Accordion>

  <Accordion title="'Audience Restriction' / 'Audience URI mismatch' errors">
    The **Audience URI (SP Entity ID)** in Okta doesn't match TrueFoundry's **Audience URI (SP Entity ID)**. Re-copy the value from the TrueFoundry SSO configuration card and paste it verbatim into Okta (no trailing slashes, no extra whitespace).
  </Accordion>
</AccordionGroup>
