Okta SSO
Capcade provides the option to enhance security and streamline access with Single Sign-On (SSO). This allows users to conveniently use their company's Okta credentials to efficiently log in to Capcade.
Before you begin setup
Please verify that you have the necessary configurations and permissions enabled on Capcade:
Since SSO is set up on an entity level for all members of the entity, your entity users must be formally placed in an entity (learn more about entities on Capcade here)
You will need to be an entity admin to configure SSO for your entity (learn how to configure entity permissions here)
Your entity's plan must have the SSO feature enabled (contact your Capcade account representative or message chat support to request access)
Please note that you will also need to have a member of your IT team involved in the process of setting this up.
Within Okta (identity provider), please ensure that you can access the "Create App Integration" option. You can learn more in Okta Administrator roles and permissions.
Step 1: Initial set up in Capcade
Click on "Entity" in the left-hand navigation pane
Click "Settings"
Toggle the "Single sign-on" on
Click "Edit"
Type "Okta" as the name of your identity provider
Copy the Registration ID
You will then use the Registration ID to paste in place of REGISTRATION_ID in the XML metadata provided to you by Okta when you set up the "Create App Integration" in Okta in the next step.
Step 2: Initial set up in Okta
Go to "Applications"
Click "Create App Integration"
Select "SAML 2.0" as sign-in method and click "Next"
Under "General Settings", enter "Capcade" as the App name and click "Next"
In the "SAML Settings", enter the following:
For the single sign-on URL, enter:
https://api.capcade.com/login/saml2/sso/REGISTRATION_ID
Check the "Use this for Recipient URL and Destination URL" box below single sign on URL
For Audience URI (SP Entity ID), enter:
https://api.capcade.com/saml2/service-provider-metadata/REGISTRATION_ID
For "Name ID format" choose "EmailAddress"
For "Application username" choose "Email" and click "Next"
Under the "Help Okta Support understand how you configured this application" section, it will ask "Are you a customer or partner?", to which you may choose "I’m an Okta customer adding an internal app"
Click "Finish"
You can now navigate to the newly created Capcade application under the Sign-On tab.
In the "Settings" section you will find the Identity Provider Metadata XML file.
Download this file - you will need it for the next step
Step 3: Activate SSO in Capcade
Return to the "Configure identity provider" dialog in Capcade
Click on "Upload" and upload the XML metadata file you downloaded from Okta in the previous step
Click "SAVE CONFIGURATION"
Your SSO should now be set up, and after entering your email on the Capcade login page, an option to log-in via SSO will be available.
SSO Glossary
Single sign-on URL: The location where the SAML assertion is sent with a HTTP POST. This is often referred to as the SAML Assertion Consumer Service (ACS) URL for your application.
Recipient URL: The location where the application may present the SAML assertion. This is usually the same location as the SSO URL and that is why "Use this for Recipient URL" and "Destination URL for SSO URL" is checked
Audience URI (SP Entity ID): The application-defined unique identifier that is the intended audience of the SAML assertion. This is most often the SP Entity ID of your application.
Name ID format: Identifies the SAML processing rules and constraints for the assertion’s subject statement.
Application Username: Determines the default value for a user’s application username. The application username will be used for the assertion’s subject statement.
To learn more about your organization and profiles, visit the collection of articles in our help guide.