Okta OIDC with Sapling supports Service Provider (SP)-Initiated Authentication. We do not support Identity Provider (IDP)-Initiated Authentication to prevent Login CSRF security risks. The first time SSO users log in with an email address under your team's tenant, they can automatically be associated with your Sapling team (without admin or manager permissions). Additionally, SSO enabled teams can disable password authentication.
Enterprise teams can use SSO with Sapling if they have a Sapling SSO subscription. Teams interested in using Okta OIDC or any other SSO IdP with Sapling should contact firstname.lastname@example.org
- Log in to your Okta admin dashboard. Make sure to be in the "UI Classic" view.
- Select Applications.
- Select Add Application.
- Type Sapling in the search box, choose Sapling OIDC from the list of available options, and click Add. If a Connection name is required you can use Sapling-[CompanyName].
- Under the assignments tab, assign users or groups to the Sapling application that you want to be able to use Sapling with Okta.
- Find your OpenID Provider Metadata, Client ID, and Client Secret under the "Sign On" tab. Send this information to email@example.com for Sapling to enable your Sapling application.
- Sapling uses Home Realm Discovery to route users to the correct Identity Provider (IDP). Please also share a list of all email domains that your users will be signing into Sapling with (i.e "sapling.ai")
Users can initiate SSO from the Sapling integration they are on by clicking the "Enterprise SSO" option at the start of the login flow.