How to Configure SSO/SCIM - Okta

Last updated: May 28, 2025

This guide walks you through integrating Okta with Kula to enable Single Sign-On (SSO) and automated user provisioning via SCIM.

🔐 SSO Integration with Okta

Supported Features

  • SAML 2.0-based authentication

  • IdP-Initiated and SP-Initiated SSO flows

  • Manual metadata configuration

  • No domain verification required

Steps to Configure SSO in Okta:

  1. Create a SAML Integration App in Okta:

    • Go to Okta Admin Console > Applications > Applications > Create App Integration

    • Select SAML 2.0

  2. Configure SAML Settings:

    • Single Sign-On URL (ACS): Provided by Kula (based on your account)

    • Audience URI (Entity ID): Provided by Kula

    • Name ID format: EmailAddress

    • Application username: Email

  3. Provide Metadata to Kula:

    • Download the metadata XML or use the metadata URL

    • In Kula, go to Settings > SSO Setup

    • Upload metadata or paste values (Entity ID, SSO URL, Certificate)

  4. Save & Test:

    • Kula will confirm if SSO setup is successful

    • Test both IdP-Initiated and SP-Initiated flows

🔁 SCIM Provisioning with Okta

Steps to Enable SCIM in Okta:

  1. Enable SCIM in Kula:

    • Go to Settings > SCIM

    • Generate a SCIM Token

  2. Configure Okta SCIM:

    • In the SAML app > Provisioning tab

    • Enable API integration

    • Set:

      • SCIM Base URL: https://api.kula.ai/api/saml/scim

      • Bearer Token: The SCIM token from Kula

  3. Test and Save Integration:

    • Click Test Connection

    • Configure supported operations: Create, Update, Deactivate users

💡 FAQs

Q1. Do I need to verify my domain in Okta?
A: No. Kula uses manual setup which bypasses the need for domain verification.

Q2. Does SCIM also update user roles or groups?
A: Currently, only basic provisioning and deprovisioning are supported. Role/group sync may be added later.

Q3. Can multiple Kula accounts be linked to a single Okta instance?
A: Yes, using separate apps or configurations per account.

🛠 Troubleshooting Use Case

Issue: The user is not being redirected correctly after SSO login
Resolution:

  • Ensure ACS URL and Entity ID in Okta match what's configured in Kula

  • Check certificate expiry and validity in metadata

  • Review SAML Response using SAML Tracer (browser extension)