SSO AuthenticationSAML 2.0
Okta
Configure Okta as a SAML 2.0 identity provider for Safeguard.
Okta
- In the Okta admin console, go to Applications → Create App Integration → SAML 2.0.
- Name the app and continue to Configure SAML:
- Single sign on URL: the ACS URL Safeguard shows after Save
- Audience URI (SP Entity ID): the SP Entity ID Safeguard shows after Save
- Name ID format:
EmailAddress - Application username:
Email
- Under Attribute Statements (Okta labels this section "optional," but this row is required for Safeguard), add: Name
email, Name formatUnspecified, Valueuser.email. Okta's "Application username" setting above controls the Name ID, not this — Safeguard needs both. - Click Next, then Finish.
- On the app's Sign On tab, click View SAML setup instructions (or download the Identity Provider metadata) to get the Identity Provider Single Sign-On URL, Identity Provider Issuer, and X.509 Certificate.
- In Safeguard, click Add Provider → SAML 2.0 → Okta, and enter those three values.
- Back in Okta, go to the Assignments tab and assign people or groups.
- Click Test in Safeguard to confirm.
Common errors: users can authenticate at Okta but never appear correctly in Safeguard — check that Application username is set to Email, not a bare username. Sign-in works for you but not teammates — they haven't been added under the app's Assignments tab yet.