Okta SSO Setup
This guide walks through configuring SAML 2.0 single sign-on between Okta and SyVault. You will need Okta admin access and SyVault Owner or Admin privileges.
Prerequisites
- SyVault organization on a Business or Enterprise plan
- Okta admin account with permission to create applications
- Your SyVault organization slug (found in Admin Console > Settings)
Step 1: Create a SAML Application in Okta
- Log in to the Okta Admin Console.
- Navigate to Applications > Applications > Create App Integration.
- Select SAML 2.0 and click Next.
- Enter the following on the General Settings page:
- App Name:
SyVault - App Logo: (optional) upload the SyVault logo
- App Name:
- Click Next to proceed to SAML configuration.
Step 2: Configure SAML Settings
On the Configure SAML page, enter the following values:
| Field | Value |
|---|---|
| Single sign-on URL | https://api.syvault.com/api/auth/saml/acs |
| Audience URI (SP Entity ID) | syvault:<your-org-slug> (e.g., syvault:acme-corp) |
| Default RelayState | Leave blank |
| Name ID format | EmailAddress |
| Application username | Okta username (email) |
Under Attribute Statements, add:
| Name | Value |
|---|---|
email | user.email |
firstName | user.firstName |
lastName | user.lastName |
Click Next, select "I'm an Okta customer adding an internal app", and click Finish.
Double-check the Entity ID format. It must be exactly syvault:<your-org-slug> with no trailing slashes or spaces. A mismatched Entity ID is the most common cause of SSO configuration failures.
Step 3: Download IdP Metadata
- On the application page, click the Sign On tab.
- In the SAML Signing Certificates section, find the active certificate.
- Click Actions > View IdP metadata. This opens the metadata XML in a new tab.
- Copy the URL from the browser address bar -- this is your IdP Metadata URL.
Alternatively, click Actions > Download metadata to save the XML file locally.
Step 4: Configure SyVault
- Open the SyVault Admin Console > SSO & SCIM > SAML SSO.
- Paste the IdP Metadata URL or upload the downloaded metadata XML file.
- SyVault will automatically extract:
- IdP SSO URL
- IdP Issuer / Entity ID
- X.509 signing certificate
- Verify the extracted values look correct.
- Click Save Configuration.
Step 5: Assign Users and Groups
Back in the Okta Admin Console:
- Navigate to the SyVault application's Assignments tab.
- Click Assign > Assign to People or Assign to Groups.
- Select the users or groups who should have SSO access to SyVault.
- Click Save and Go Back when done.
Only users who are also members of your SyVault organization can complete SSO login. Assigning a user in Okta who has not been invited to SyVault will result in a login error. Use SCIM provisioning to automate member creation when users are assigned in Okta.
Step 6: Test SSO Login
- In the SyVault Admin Console, click Test Connection. This opens a new browser window, sends a SAML AuthnRequest to Okta, and verifies the response.
- If the test succeeds, you will see a green confirmation message with the authenticated email address.
- Try a full login: open a private/incognito browser window, go to the SyVault login page, click Login with SSO, enter your organization slug, and authenticate through Okta.
Troubleshooting
| Symptom | Likely Cause | Fix |
|---|---|---|
| "Invalid audience" error | Entity ID mismatch | Verify the Audience URI in Okta matches syvault:<org-slug> exactly |
| "Signature validation failed" | Certificate mismatch or rotation | Re-download the IdP metadata and re-upload to SyVault |
| "User not found" error | User not a SyVault member | Invite the user to SyVault or enable SCIM provisioning |
| Redirect loop | RelayState issue | Ensure Default RelayState is blank in Okta |
| "Clock skew" error | Server time mismatch | Ensure your Okta tenant and SyVault server clocks are within 5 minutes |