> For the complete documentation index, see [llms.txt](https://docs.luciq.ai/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.luciq.ai/organization-settings/user-management/sso-using-saml.md).

# SSO Using SAML

{% hint style="warning" %}
This guide uses [Okta](https://okta.com/) to show the SAML setup flow. Most SAML providers follow similar steps.
{% endhint %}

### Set up SAML in Okta

### Create the application in Okta

{% stepper %}
{% step %}

### Luciq: Open SAML settings

Sign up in Luciq using the same email address as Okta.

In Luciq, go to **Account Management → Identity access management**.

Click **Configure** next to **SAML**.
{% endstep %}

{% step %}

### Okta: Create an app integration

In Okta, go to **Applications**.

Click **Create App Integration**.

<figure><img src="https://downloads.intercomcdn.com/i/o/ih9pma6x/1401582755/fb6726bb45742092e2073ed30bf6/image.png?expires=1764258300&#x26;signature=942d67b1274c55dbaa7194dc6db1e57b059dd4de19794a1a85eddba71efced3d&#x26;req=dSQnF8x2n4ZaXPMW1HO4zdCIiPo2cyz%2Byk5w5y4E3W3vOu93V9utiAtwlk1b%0AOQFG%0A" alt=""><figcaption></figcaption></figure>
{% endstep %}

{% step %}

### Okta: Choose SAML 2.0

In Okta, in **Applications**, select **SAML 2.0**.

Click **Next**.

<figure><img src="https://downloads.intercomcdn.com/i/o/ih9pma6x/1401584548/1fc0f00ad5999ff3b59768ff9ff9/image.png?expires=1764258300&#x26;signature=1744bc7bf0464b498c6b0cf97883bf24f673ac72d42697e0987e64817568a7ac&#x26;req=dSQnF8x2mYRbUfMW1HO4zY2olfJRmstxgTg5ofyxNyoBzCMMErf6dpCFnipa%0AvZhW%0A" alt=""><figcaption></figcaption></figure>
{% endstep %}

{% step %}

### Okta: Set the app name

In Okta, in **General Settings**, enter the app name.

Click **Next**.

<figure><img src="https://downloads.intercomcdn.com/i/o/ih9pma6x/1401585455/7a5269c678624db48f2a182fd3bd/image.png?expires=1764258300&#x26;signature=261ed2e9a37290a44def5ed0e9ef141284b234a51917fd4e686068a79da0ac36&#x26;req=dSQnF8x2mIVaXPMW1HO4zRXh5U%2F3gxmnND0z%2FrgI9wGyMlPzpMoMzZaiOIiW%0ADsDw%0A" alt=""><figcaption></figcaption></figure>
{% endstep %}

{% step %}

### Okta: Map the SAML fields

In Okta, in **Configure SAML**, map these values:

1. Copy `Service Provider SSO Callback URL` from Luciq to `Single sign-on URL` in Okta.
2. Copy `Service Provider Entity ID` from Luciq to `Audience URI (SP Entity ID)` in Okta.
3. Leave `Default RelayState` empty.
4. Set `Name ID format` to `EmailAddress`.
5. Set `Application username` to `email`.
6. Click **Next**.
   {% endstep %}
   {% endstepper %}

### Assign users to the app

{% stepper %}
{% step %}

### Okta: Assign users to the app

In Okta, in **Applications**, click **Assign Users to App**.

Select the app you created.

Then select the users to assign.
{% endstep %}
{% endstepper %}

[![](https://downloads.intercomcdn.com/i/o/ih9pma6x/1401590860/68a65004f4d71654c6eccf12892a/image.png?expires=1764258300\&signature=2da87be964d34ce24a1d7ece734c68f0003232457d78e3d120139eac6eeea9ef\&req=dSQnF8x3nYlZWfMW1HO4zUKAE9DyFTrwDzyGkHAE9QZto9Tn8MtjqFbF5YNB%0AQ7yX%0A)](https://downloads.intercomcdn.com/i/o/ih9pma6x/1401590860/68a65004f4d71654c6eccf12892a/image.png?expires=1764258300\&signature=2da87be964d34ce24a1d7ece734c68f0003232457d78e3d120139eac6eeea9ef\&req=dSQnF8x3nYlZWfMW1HO4zUKAE9DyFTrwDzyGkHAE9QZto9Tn8MtjqFbF5YNB%0AQ7yX%0A)[![](https://downloads.intercomcdn.com/i/o/ih9pma6x/1401591562/00c281d11596de1a9fa13c517c26/image.png?expires=1764258300\&signature=c078047b97e64b03e85a9127fb5a97a2728deb3b03e0f9dc82ce232aac5f4e92\&req=dSQnF8x3nIRZW%2FMW1HO4zVbmR3HQZ%2BrW%2Bvy16Z4vLrnQBVU4aXFmhGgVIy6t%0At15b%0A)](https://downloads.intercomcdn.com/i/o/ih9pma6x/1401591562/00c281d11596de1a9fa13c517c26/image.png?expires=1764258300\&signature=c078047b97e64b03e85a9127fb5a97a2728deb3b03e0f9dc82ce232aac5f4e92\&req=dSQnF8x3nIRZW%2FMW1HO4zVbmR3HQZ%2BrW%2Bvy16Z4vLrnQBVU4aXFmhGgVIy6t%0At15b%0A)

### Set up sign-on

{% stepper %}
{% step %}

### Okta: Open the Sign On tab

In Okta, go to **Applications**.

Open the app you created.

Select the **Sign On** tab.
{% endstep %}

{% step %}

### Okta: Open setup instructions

In Okta, in the **Sign On** tab, open **View Setup Instructions**.

<figure><img src="https://downloads.intercomcdn.com/i/o/ih9pma6x/1401592923/3648379873e4fb1e9662cd15aa73/image.png?expires=1764258300&#x26;signature=0c22cb910707b2cb2156120ba0f6ed2abf42eb25919475c6f3774c9bd8805585&#x26;req=dSQnF8x3n4hdWvMW1HO4zZiNJlvHEydn%2Ffu1E89lmWmu91QKLDHuRPZ0SnLH%0AFhsd%0A" alt=""><figcaption></figcaption></figure>
{% endstep %}

{% step %}

### Okta and Luciq: Choose a certificate or fingerprint

Set up either a certificate or a fingerprint.

<details>

<summary>Using certificate</summary>

1. Download the Okta certificate from **View Setup Instructions**.
2. In Luciq, in **Account Management → Identity access management**, open **Configure SAML SSO**.
3. Select **Certificate**, then upload the certificate.

   <figure><img src="https://downloads.intercomcdn.com/i/o/ih9pma6x/1732780238/86a37716bb566ab741d7484f1501/85800EDA-CE0D-48DF-9E7E-909574002640.jpeg?expires=1764258300&#x26;signature=4f7b46fb4ef3df473a9892e4dc8651d1139d6da2f44624616c4525156c4e82ff&#x26;req=dSckFM52nYNcUfMW1HO4zU%2B2R3kp%2Fw1azBuAkGgoNu%2B3xqv3U4xKgBFr6pYp%0AL6o5%0A" alt=""><figcaption></figcaption></figure>
4. Copy `Identity Provider Single Sign-On URL` from **View Setup Instructions** to `SAML/idP metadata URL` in Luciq.

</details>

<details>

<summary>Using fingerprint</summary>

1. Change directory to where you downloaded the certificate.
2. Run `openssl x509 -noout -fingerprint -sha1 -inform pem -in okta.cert`.
3. Copy the fingerprint value. It should look similar to `F4:95:55:6E:97:D7:B6:26:56:3C:D0:4D:A0:D3:E4:05:B3:11:FF:B7`.
4. In Luciq, in **Account Management → Identity access management**, open **Configure SAML SSO**.
5. Select **Fingerprint**, then enter:
   1. `Identity Provider Certificate Fingerprint` = fingerprint from the terminal.
   2. `Identity Provider Certificate Fingerprint Algorithm` = `SHA1`.
   3. `SAML/idP metadata URL` = `Identity Provider Single Sign-On URL` from **View Setup Instructions**.

</details>
{% endstep %}
{% endstepper %}

### Log in

{% hint style="info" %}
Before logging in with SSO, make sure the email is already invited to the company. If you want Okta to create accounts automatically, see [SCIM Provisioning](/organization-settings/user-management/scim-provisioning.md).
{% endhint %}

{% stepper %}
{% step %}

### Luciq: Log out

In Luciq, log out of your current session.
{% endstep %}

{% step %}

### Luciq: Start SSO login

In Luciq, select **Log in with SSO**.
{% endstep %}

{% step %}

### Luciq: Sign in with the assigned account

In Luciq, enter the Okta email you assigned to the app.
{% endstep %}
{% endstepper %}

***

{% hint style="info" %}
To enable SAML or OAuth for the whole company, log in with SSO at least once after setup.

After that, members can no longer log in with email and password.
{% endhint %}

{% hint style="warning" %}
If you disable SSO and then enable it again, it applies to the whole company immediately. You do not need to log in with SSO first.
{% endhint %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.luciq.ai/organization-settings/user-management/sso-using-saml.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
