> For the complete documentation index, see [llms.txt](https://docs.screendesk.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.screendesk.io/security/saml-sso/saml-sso-with-okta.md).
# SAML SSO with Okta
This guide walks through setting up SAML single sign-on between Okta and Screendesk. After completing these steps, your team members can log in to Screendesk using their Okta credentials.
{% hint style="info" %}
**Plan Availability:** Enterprise only
{% endhint %}
{% hint style="info" %}
Before starting, make sure you have admin access to both the **Okta Admin Console** and your **Screendesk workspace**. You will also need your Screendesk service provider details — find them in **Account Settings → Security → SAML SSO**.
{% endhint %}
***
### Configuration Overview
Setting up SAML SSO with Okta involves creating a SAML app integration in the Okta Admin Console, configuring the SAML settings, and then entering Okta's IdP details in Screendesk.
You will need these Screendesk values for the Okta side:
| Screendesk Field | Value |
| ------------------------------- | ----------------------------------------- |
| **Single sign-on URL** | `https://app.screendesk.io/saml_callback` |
| **Audience URI (SP Entity ID)** | `urn:screendesk.io:saml` |
***
### Step 1 — Create a SAML App Integration in Okta
{% stepper %}
{% step %}
#### Open the Okta Admin Console
Sign in to your Okta organization and open the **Admin Console**. Navigate to **Applications → Applications**.
{% endstep %}
{% step %}
#### Create a new app integration
Click **Create App Integration**. Select **SAML 2.0** as the sign-in method and click **Next**.
{% endstep %}
{% step %}
#### Name the app
Enter **Screendesk** as the app name. Optionally upload the Screendesk logo. Click **Next**.
{% endstep %}
{% step %}
#### Configure SAML settings
On the **Configure SAML** screen, enter the following:
**General:**
| Field | Value |
| -------------------------------------------------- | ----------------------------------------- |
| **Single sign-on URL** | `https://app.screendesk.io/saml_callback` |
| **Use this for Recipient URL and Destination URL** | Checked |
| **Audience URI (SP Entity ID)** | `urn:screendesk.io:saml` |
| **Default RelayState** | Leave blank |
| **Name ID format** | **EmailAddress** |
| **Application username** | **Email** |
**Attribute Statements:**
| Name | Name format | Value |
| ------------ | ----------- | ---------------- |
| `email` | Unspecified | `user.email` |
| `first_name` | Unspecified | `user.firstName` |
| `last_name` | Unspecified | `user.lastName` |
Click **Next**.
{% endstep %}
{% step %}
#### Complete the feedback step
On the **Feedback** screen, select **I'm an Okta customer adding an internal app** and click **Finish**.
{% endstep %}
{% step %}
#### Copy the Okta IdP details
After the app is created, go to the **Sign On** tab and scroll down to the **SAML Signing Certificates** section. Find the active certificate and click **Actions → View IdP metadata**.
Alternatively, use the values shown under **SAML 2.0** in the Sign On tab:
* **Sign on URL** (or **Identity Provider Single Sign-On URL**) — Copy this. You will paste it as the **Single Sign On URL** in Screendesk.
* **Issuer** (or **Identity Provider Issuer**) — Copy this. You will paste it as the **IDP Entity ID** in Screendesk.
* **Signing Certificate** — Click **Download certificate**. You will paste its contents as the **IDP Certificate** in Screendesk.
{% hint style="info" %}
You can also find these values by clicking **View SAML setup instructions** under the **Sign On** tab, which provides all three values on a single page.
{% endhint %}
{% endstep %}
{% step %}
#### Assign users to the app
Go to the **Assignments** tab and click **Assign**. Assign the app to individual users or groups who should have access to Screendesk.
{% hint style="warning" %}
Only users assigned to the Screendesk app in Okta will be able to log in via SAML. Unassigned users will receive an error from Okta.
{% endhint %}
{% endstep %}
{% endstepper %}
***
### Step 2 — Configure Screendesk
{% stepper %}
{% step %}
#### Open SAML SSO settings
In Screendesk, go to **Account Settings → Security → SAML SSO** and click **Edit SAML SSO Settings**.
{% endstep %}
{% step %}
#### Enter the Okta IdP details
Using the values you copied from the Okta Admin Console in Step 1:
| Screendesk Field | Value from Okta |
| ---------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **SSO Domain** | Your company's email domain (e.g., `yourcompany.com`) |
| **IDP Entity ID** | The **Issuer** (Identity Provider Issuer) |
| **Single Sign On URL** | The **Sign on URL** (Identity Provider Single Sign-On URL) |
| **IDP Certificate** | The contents of the downloaded certificate file. Open it in a text editor and paste the full text, including the `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` lines. |
| {% endstep %} | |
{% step %}
#### Save the configuration
Click **Save Changes**.
{% endstep %}
{% endstepper %}
***
### Step 3 — Test the Connection
{% stepper %}
{% step %}
#### Test from Okta
In the Okta Admin Console, go to the Screendesk app's **General** tab and click **Test SAML login**. This opens a new window and attempts a full SAML login.
{% endstep %}
{% step %}
#### Test from the Screendesk login page
Open an incognito window, go to the Screendesk login page, click **Sign in with SAML SSO**, and enter an email address that belongs to your SSO domain. You should be redirected to Okta's login page and then signed in to Screendesk.
{% endstep %}
{% endstepper %}
***
### Optional — SCIM Provisioning with Okta
Okta supports SCIM 2.0 for automatic user provisioning. Once configured, Okta can create, update, and deactivate Screendesk user accounts based on app assignments.
{% stepper %}
{% step %}
#### Enable SCIM provisioning in Okta
On the Screendesk app in Okta, go to the **General** tab and click **Edit**. Change **Provisioning** to **SCIM** and click **Save**.
{% endstep %}
{% step %}
#### Configure the SCIM connection
Go to the **Provisioning** tab and click **Edit** under **SCIM Connection**:
| Field | Value |
| ------------------------------------- | ------------------------------------------------------------ |
| **SCIM connector base URL** | `https://app.screendesk.io/api/v2/scim` |
| **Unique identifier field for users** | `userName` |
| **Supported provisioning actions** | Push New Users, Push Profile Updates, Push Groups (optional) |
| **Authentication Mode** | HTTP Header |
| **Authorization** | The **SCIM Token** from your Screendesk SAML SSO settings |
Click **Test Connector Configuration** to verify, then click **Save**.
{% endstep %}
{% step %}
#### Enable provisioning actions
Under **Provisioning → To App**, click **Edit** and enable:
* **Create Users**
* **Update User Attributes**
* **Deactivate Users**
Click **Save**.
{% endstep %}
{% endstepper %}
***
### Troubleshooting
"SAML Authentication failed" error
This usually means the SAML response signature could not be verified. Check the following:
* The **IDP Certificate** in Screendesk matches the certificate downloaded from Okta. Make sure you pasted the full PEM text including header and footer lines.
* The **Single sign-on URL** in Okta matches `https://app.screendesk.io/saml_callback` exactly.
* The **Audience URI** in Okta matches `urn:screendesk.io:saml` exactly.
* Make sure the signing certificate in Okta is **Active** (not expired or inactive).
Okta shows "app not assigned" error
The user trying to log in has not been assigned to the Screendesk app in Okta. Go to the **Assignments** tab and add the user or their group.
SCIM provisioning fails
* Verify the **SCIM Token** in Okta matches the token shown in your Screendesk SAML SSO settings.
* Confirm the base URL is `https://app.screendesk.io/api/v2/scim` (not `/scim/Users`).
* Check that the **Authentication Mode** is set to **HTTP Header**.
New users get "Ask your IT administrator" message
This means **Automatic account creation** is turned off in your Screendesk SAML settings. Either enable it in **Account Settings → Security → SAML SSO**, or use SCIM provisioning to create user accounts before they try to log in.
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:
```
GET https://docs.screendesk.io/security/saml-sso/saml-sso-with-okta.md?ask=&goal=
```
`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.