Set up SSO with Okta
This guide connects Okta to KloudMate. Okta supports both OIDC and SAML; OIDC is the simpler setup, so start there unless your team standardizes on SAML.
You will switch between two browser tabs: the Okta Admin Console and KloudMate’s Settings → Single Sign-On page. Keep both open.
Before you start
Section titled “Before you start”- You’re the KloudMate organization owner on a paid plan.
- You’re an admin in the Okta Admin Console.
- Grab KloudMate’s values first: open the Service provider details card and copy the ACS URL (SAML), or note the OIDC redirect URI
https://api.kloudmate.com/sso/oidc.
OIDC (recommended)
Section titled “OIDC (recommended)”1. Create the app in Okta
Section titled “1. Create the app in Okta”-
In the Okta Admin Console, go to Applications → Applications → Create App Integration.
-
Choose OIDC - OpenID Connect, then Web Application, and click Next.
-
Under Grant types, keep Authorization Code selected.
-
In Sign-in redirect URIs, enter:
-
Assign the app to the people or groups who should have KloudMate access, then Save.
2. Copy Okta’s values into KloudMate
Section titled “2. Copy Okta’s values into KloudMate”From the app’s General tab, copy the Client ID and Client secret. Okta’s OIDC discovery URL is:
Replace <your-okta-domain> with your org’s Okta domain (for example dev-12345.okta.com).
In KloudMate, open Connections → Add connection, choose OIDC, and fill in:
- Display name —
Okta - Discovery URL — the URL above
- Client ID and Client secret — from Okta
- Scopes — leave as
openid email profile
Click Add connection.
1. Create the SAML app in Okta
Section titled “1. Create the SAML app in Okta”- Go to Applications → Applications → Create App Integration, choose SAML 2.0, and click Next.
- Give the app a name, then on the Configure SAML step set:
- Single sign-on URL — your KloudMate ACS URL,
https://api.kloudmate.com/sso/saml - Audience URI (SP Entity ID) — your KloudMate SP Entity ID (the
entityIDfrom the downloaded SP metadata) - Name ID format —
EmailAddress - Application username —
Email
- Single sign-on URL — your KloudMate ACS URL,
- Finish the wizard and Save.
2. Copy Okta’s metadata into KloudMate
Section titled “2. Copy Okta’s metadata into KloudMate”- On the app’s Sign On tab, find the SAML Setup section and download or view the Identity Provider metadata.
- In KloudMate, open Connections → Add connection, choose SAML 2.0, keep Paste metadata XML, and paste the Okta metadata into IdP metadata XML.
- Set Display name to
Oktaand click Add connection.
Email mapping
Section titled “Email mapping”Okta sends the user’s email in the NameID when you set Name ID format to EmailAddress and Application username to Email, which is all KloudMate needs. If you have customized attribute statements, make sure email is sent in the NameID or in an attribute named email.
Finish up
Section titled “Finish up”- Verify your company domain so employees can sign in by email.
- Choose a provisioning mode.
- Test sign-in: on the login page, type a work email on a verified domain and click Sign in with SSO.
Hitting an error? See Troubleshooting.