Skip to content

Set up SSO with Okta

This guide connects Okta to KloudMate. Okta supports both OIDC and SAML; OIDC is the simpler setup, so start there unless your team standardizes on SAML.

You will switch between two browser tabs: the Okta Admin Console and KloudMate’s Settings → Single Sign-On page. Keep both open.

  • You’re the KloudMate organization owner on a paid plan.
  • You’re an admin in the Okta Admin Console.
  • Grab KloudMate’s values first: open the Service provider details card and copy the ACS URL (SAML), or note the OIDC redirect URI https://api.kloudmate.com/sso/oidc.
  1. In the Okta Admin Console, go to Applications → Applications → Create App Integration.

  2. Choose OIDC - OpenID Connect, then Web Application, and click Next.

  3. Under Grant types, keep Authorization Code selected.

  4. In Sign-in redirect URIs, enter:

    https://api.kloudmate.com/sso/oidc
  5. Assign the app to the people or groups who should have KloudMate access, then Save.

From the app’s General tab, copy the Client ID and Client secret. Okta’s OIDC discovery URL is:

https://<your-okta-domain>/.well-known/openid-configuration

Replace <your-okta-domain> with your org’s Okta domain (for example dev-12345.okta.com).

In KloudMate, open Connections → Add connection, choose OIDC, and fill in:

  • Display nameOkta
  • Discovery URL — the URL above
  • Client ID and Client secret — from Okta
  • Scopes — leave as openid email profile

Click Add connection.

  1. Go to Applications → Applications → Create App Integration, choose SAML 2.0, and click Next.
  2. Give the app a name, then on the Configure SAML step set:
    • Single sign-on URL — your KloudMate ACS URL, https://api.kloudmate.com/sso/saml
    • Audience URI (SP Entity ID) — your KloudMate SP Entity ID (the entityID from the downloaded SP metadata)
    • Name ID formatEmailAddress
    • Application usernameEmail
  3. Finish the wizard and Save.
  1. On the app’s Sign On tab, find the SAML Setup section and download or view the Identity Provider metadata.
  2. In KloudMate, open Connections → Add connection, choose SAML 2.0, keep Paste metadata XML, and paste the Okta metadata into IdP metadata XML.
  3. Set Display name to Okta and click Add connection.

Okta sends the user’s email in the NameID when you set Name ID format to EmailAddress and Application username to Email, which is all KloudMate needs. If you have customized attribute statements, make sure email is sent in the NameID or in an attribute named email.

  1. Verify your company domain so employees can sign in by email.
  2. Choose a provisioning mode.
  3. Test sign-in: on the login page, type a work email on a verified domain and click Sign in with SSO.

Hitting an error? See Troubleshooting.