SSO / SAML Setup

Kula supports multiple sign-in options that admins can enable or disable for their organization. This article covers how to configure each option from Settings → Organization → Security.

Sign-in Options Overview

Admins can toggle each option on or off. You can enable multiple methods simultaneously.

Enabling Google or Microsoft Sign-in

1. Go to Settings → Organization → Security

2. Under Sign-in options, toggle Google or Microsoft on

3. Users can immediately sign in using their Google or Microsoft account

Setting Up Single Sign-On (SSO)

SSO lets your team log in using your organization's identity provider (IdP) via SAML 2.0. Kula supports Okta, JumpCloud, and any other SAML 2.0-compliant IdP.

Step 1: Add an SSO Provider

1. Go to Settings → Organization → Security

2. Under Single Sign-On (SSO), click + Add SSO

3. Select your provider or choose Custom SAML

Step 2: Enter Your IdP Details

Fill in the following using values from your IdP admin console:

Step 3: Save and Activate

1. Click Save

2. Click Test Connection to verify the setup

3. Toggle the SSO provider on once the test passes

Provider-Specific Setup

Okta

SSO Setup

1. In Okta Admin Console: Applications → Create App Integration → SAML 2.0

2. Set the ACS URL and Audience URI (Entity ID) to the values Kula provides

3. Set Name ID format to EmailAddress, Application username to Email

4. Download the metadata XML from Okta

5. In Kula, paste or upload the metadata under + Add SSO → Okta

SCIM Provisioning (optional)

Automatically add and remove users in Kula when they're added or removed in Okta.

1. In Kula, go to Settings → SCIM → generate a SCIM Token

2. In your Okta SAML app, open Provisioning → Enable API Integration

3. Enter:

   • SCIM Base URL: https://api.kula.ai/api/saml/scim

   • Bearer Token: the token from Kula

4. Enable Create, Update, and Deactivate user operations

JumpCloud

SSO Setup

1. In JumpCloud Admin Portal: SSO → Add New Application → Custom SAML App

2. Set the SP Entity ID and ACS URL to the values Kula provides

3. Set SAML Subject to email address

4. Download the metadata XML from JumpCloud

5. In Kula, upload or paste the metadata under + Add SSO → JumpCloud

6. Assign users to the SAML app inside JumpCloud

SCIM Provisioning (optional)

SCIM availability depends on your JumpCloud plan.

1. In Kula, go to Settings → SCIM → generate a SCIM Bearer Token

2. In JumpCloud, enter:

   • SCIM Base URL: https://api.kula.ai/api/saml/scim

   • Bearer Token: the token from Kula

Contact JumpCloud support if SCIM is not available on your current plan.

Managing SSO Providers

From Settings → Organization → Security, you can:

• Edit a provider — click the pencil icon next to the provider name

• Delete a provider — click the trash icon

• Enable / Disable a provider — use the toggle without deleting the configuration

Troubleshooting

FAQs

Q: Can I enable multiple SSO providers at the same time?
Yes. You can add and enable Okta and JumpCloud simultaneously.

Q: Can I keep email/password login enabled alongside SSO?
Yes, but this is not recommended for production. For maximum security, disable email/password login once SSO is configured.

Q: Do I need to verify my domain to set up SSO?
No. Kula uses manual metadata configuration, so domain verification is not required.

Q: Who can configure SSO?
Only Org Admins can add, edit, or remove SSO providers.

Q: What happens if I delete an SSO provider?
Users who rely on that provider will lose SSO access. Ensure an alternative sign-in method is available before deleting.

Need help?

Contact Kula Support via in-app chat or email support@kula.ai.