Safeguard.sh Documentation Center
SSO AuthenticationSAML 2.0

Okta

Configure Okta as a SAML 2.0 identity provider for Safeguard.

Okta

  1. In the Okta admin console, go to Applications → Create App Integration → SAML 2.0.
  2. Name the app and continue to Configure SAML:
    • Single sign on URL: the ACS URL Safeguard shows after Save
    • Audience URI (SP Entity ID): the SP Entity ID Safeguard shows after Save
    • Name ID format: EmailAddress
    • Application username: Email
  3. Under Attribute Statements (Okta labels this section "optional," but this row is required for Safeguard), add: Name email, Name format Unspecified, Value user.email. Okta's "Application username" setting above controls the Name ID, not this — Safeguard needs both.
  4. Click Next, then Finish.
  5. On the app's Sign On tab, click View SAML setup instructions (or download the Identity Provider metadata) to get the Identity Provider Single Sign-On URL, Identity Provider Issuer, and X.509 Certificate.
  6. In Safeguard, click Add Provider → SAML 2.0 → Okta, and enter those three values.
  7. Back in Okta, go to the Assignments tab and assign people or groups.
  8. Click Test in Safeguard to confirm.

Common errors: users can authenticate at Okta but never appear correctly in Safeguard — check that Application username is set to Email, not a bare username. Sign-in works for you but not teammates — they haven't been added under the app's Assignments tab yet.

On this page