# SSO Using SAML {% hint style="warning" %} This guide uses [Okta](https://okta.com/) to show the SAML setup flow. Most SAML providers follow similar steps. {% endhint %} ### Set up SAML in Okta ### Create the application in Okta {% stepper %} {% step %} ### Luciq: Open SAML settings Sign up in Luciq using the same email address as Okta. In Luciq, go to **Account Management → Identity access management**. Click **Configure** next to **SAML**. {% endstep %} {% step %} ### Okta: Create an app integration In Okta, go to **Applications**. Click **Create App Integration**.

{% endstep %} {% step %} ### Okta: Choose SAML 2.0 In Okta, in **Applications**, select **SAML 2.0**. Click **Next**.

{% endstep %} {% step %} ### Okta: Set the app name In Okta, in **General Settings**, enter the app name. Click **Next**.

{% endstep %} {% step %} ### Okta: Map the SAML fields In Okta, in **Configure SAML**, map these values: 1. Copy `Service Provider SSO Callback URL` from Luciq to `Single sign-on URL` in Okta. 2. Copy `Service Provider Entity ID` from Luciq to `Audience URI (SP Entity ID)` in Okta. 3. Leave `Default RelayState` empty. 4. Set `Name ID format` to `EmailAddress`. 5. Set `Application username` to `email`. 6. Click **Next**. {% endstep %} {% endstepper %} ### Assign users to the app {% stepper %} {% step %} ### Okta: Assign users to the app In Okta, in **Applications**, click **Assign Users to App**. Select the app you created. Then select the users to assign. {% endstep %} {% endstepper %} [![](https://downloads.intercomcdn.com/i/o/ih9pma6x/1401590860/68a65004f4d71654c6eccf12892a/image.png?expires=1764258300\&signature=2da87be964d34ce24a1d7ece734c68f0003232457d78e3d120139eac6eeea9ef\&req=dSQnF8x3nYlZWfMW1HO4zUKAE9DyFTrwDzyGkHAE9QZto9Tn8MtjqFbF5YNB%0AQ7yX%0A)](https://downloads.intercomcdn.com/i/o/ih9pma6x/1401590860/68a65004f4d71654c6eccf12892a/image.png?expires=1764258300\&signature=2da87be964d34ce24a1d7ece734c68f0003232457d78e3d120139eac6eeea9ef\&req=dSQnF8x3nYlZWfMW1HO4zUKAE9DyFTrwDzyGkHAE9QZto9Tn8MtjqFbF5YNB%0AQ7yX%0A)[![](https://downloads.intercomcdn.com/i/o/ih9pma6x/1401591562/00c281d11596de1a9fa13c517c26/image.png?expires=1764258300\&signature=c078047b97e64b03e85a9127fb5a97a2728deb3b03e0f9dc82ce232aac5f4e92\&req=dSQnF8x3nIRZW%2FMW1HO4zVbmR3HQZ%2BrW%2Bvy16Z4vLrnQBVU4aXFmhGgVIy6t%0At15b%0A)](https://downloads.intercomcdn.com/i/o/ih9pma6x/1401591562/00c281d11596de1a9fa13c517c26/image.png?expires=1764258300\&signature=c078047b97e64b03e85a9127fb5a97a2728deb3b03e0f9dc82ce232aac5f4e92\&req=dSQnF8x3nIRZW%2FMW1HO4zVbmR3HQZ%2BrW%2Bvy16Z4vLrnQBVU4aXFmhGgVIy6t%0At15b%0A) ### Set up sign-on {% stepper %} {% step %} ### Okta: Open the Sign On tab In Okta, go to **Applications**. Open the app you created. Select the **Sign On** tab. {% endstep %} {% step %} ### Okta: Open setup instructions In Okta, in the **Sign On** tab, open **View Setup Instructions**.

{% endstep %} {% step %} ### Okta and Luciq: Choose a certificate or fingerprint Set up either a certificate or a fingerprint.

Using certificate

1. Download the Okta certificate from **View Setup Instructions**. 2. In Luciq, in **Account Management → Identity access management**, open **Configure SAML SSO**. 3. Select **Certificate**, then upload the certificate.

4. Copy `Identity Provider Single Sign-On URL` from **View Setup Instructions** to `SAML/idP metadata URL` in Luciq.

Using fingerprint

1. Change directory to where you downloaded the certificate. 2. Run `openssl x509 -noout -fingerprint -sha1 -inform pem -in okta.cert`. 3. Copy the fingerprint value. It should look similar to `F4:95:55:6E:97:D7:B6:26:56:3C:D0:4D:A0:D3:E4:05:B3:11:FF:B7`. 4. In Luciq, in **Account Management → Identity access management**, open **Configure SAML SSO**. 5. Select **Fingerprint**, then enter: 1. `Identity Provider Certificate Fingerprint` = fingerprint from the terminal. 2. `Identity Provider Certificate Fingerprint Algorithm` = `SHA1`. 3. `SAML/idP metadata URL` = `Identity Provider Single Sign-On URL` from **View Setup Instructions**.

{% endstep %} {% endstepper %} ### Log in {% hint style="info" %} Before logging in with SSO, make sure the email is already invited to the company. If you want Okta to create accounts automatically, see [SCIM Provisioning](/organization-settings/user-management/scim-provisioning.md). {% endhint %} {% stepper %} {% step %} ### Luciq: Log out In Luciq, log out of your current session. {% endstep %} {% step %} ### Luciq: Start SSO login In Luciq, select **Log in with SSO**. {% endstep %} {% step %} ### Luciq: Sign in with the assigned account In Luciq, enter the Okta email you assigned to the app. {% endstep %} {% endstepper %} *** {% hint style="info" %} To enable SAML or OAuth for the whole company, log in with SSO at least once after setup. After that, members can no longer log in with email and password. {% endhint %} {% hint style="warning" %} If you disable SSO and then enable it again, it applies to the whole company immediately. You do not need to log in with SSO first. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.luciq.ai/organization-settings/user-management/sso-using-saml.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.