# Okta SSO This guide covers setup for Natoma using the Okta OIN (Okta Integration Network) application, which supports both SAML 2.0 for Single Sign-On and SCIM for user and group provisioning. *** ## SAML 2.0 SSO Setup ### Prerequisites {% hint style="info" %} When using SAML as the SSO mode with provisioning, your tenant must be upgraded from a free trial. {% endhint %} ### Supported Features * SP-initiated SSO (Single Sign-On) * IdP-initiated SSO (through [Third-party Initiated Login](https://openid.net/specs/openid-connect-core-1_0.html#ThirdPartyInitiatedLogin)) * Just-In-Time provisioning ### Attribute Statements The following SAML attributes are supported: | Name | Value | | ------- | -------------------------------------- | | `email` | `user.email` | | `name` | `user.firstName + " " + user.lastName` | ### SP-Initiated SSO The sign-in process is initiated from Natoma: 1. From your browser, navigate to the Natoma sign-in page. 2. Enter your Okta email and click **Sign in**, then enter your Okta credentials when prompted. If your credentials are valid, you are redirected to the Natoma dashboard. ### Setup Instructions **1. Add the Application in Okta** 1. Log in to your Okta admin account. 2. Navigate to **Applications** and select **Browse App Catalog**. 3. Search for **Natoma** and click **Add Integration**. **2. Copy your Tenant ID from Natoma** 1. In Natoma, go to **Admin > SSO**. 2. Copy your tenant ID from the Entity ID or ACS URL field. 3. Paste the tenant ID into Okta and click **Done**. **3. Copy the Metadata URL to Natoma** 1. In Okta, navigate to the **Sign On** tab and copy the **Metadata URL**. 2. Back in Natoma, paste the Metadata URL into the SSO settings. 3. Click **Test SAML**. Once the test passes, click **Update**. **4. Assign the Application** In Okta, go to the application, click **Assignments**, and assign the necessary people or groups. *** ## SCIM Provisioning Setup SCIM (System for Cross-domain Identity Management) enables continuous synchronization of users and groups between Okta and Natoma. ### Prerequisites {% hint style="info" %} When using SAML as the SSO mode with provisioning, your tenant must be upgraded from a free trial. {% endhint %} ### Supported Features * Create users * Update user attributes * Deactivate users * Import users * Import groups * Profile sourcing * Group push ### Setup Instructions **1. Enable SCIM in Natoma** 1. In the Natoma Admin Console, navigate to **Admin Settings > SSO** (or Identity Providers). 2. Toggle the option for **SCIM Integration**. 3. Click **Generate Token** and immediately copy the token. {% hint style="warning" %} You will not be able to view this token again — save it before closing. {% endhint %} **2. Configure API Integration in Okta** 1. In your Okta application, navigate to the **Provisioning** tab. 2. Under **Settings**, go to **Integration** and click **Edit**. 3. Check the **Enable API Integration** box. 4. Paste the generated SCIM token into the API token field. 5. Click **Test API Credentials**, then **Save**. **3. Enable Provisioning to App** 1. After saving, click **To App** in the settings panel, then click **Edit**. 2. Enable the following provisioning actions: * **Create Users** * **Update User Attributes** * **Deactivate Users** 3. Click **Save**. **4. Provision Users and Groups** 1. In Okta, go to the application, click **Assignments**, and confirm the users and groups you want to provision are assigned. 2. To push groups, navigate to the **Push Groups** tab, select **By name**, enter the group name, select **Push group memberships immediately**, and click **Save**. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.natoma.ai/docs/enterprise/secure-access-to-natoma/okta-sso.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.