Skip to main content
All CollectionsEnterprise org administration
Set up SAML SSO & SCIM with Okta
Set up SAML SSO & SCIM with Okta

For Enterprise org admins: Learn how to set up both SAML SSO and SCIM if you use Okta as your identity provider

Updated over 2 months ago

SAML SSO and SCIM are available for organizations on Coda's Enterprise plan. This article is intended for org admins who use Okta as their Identify Provider. Below we will walk through the specific steps necessary to set up both SSO and SCIM in Coda. If you use a different Identity Provider, please check out this article instead.

ℹ️ Please note that SSO and SCIM are only available to customers on Coda’s Enterprise plan.

Within this article you’ll find...


Supported features

SAML and SCIM allow org admins to authenticate and provision users in their organization. Within Coda, the following SAML and SCIM features are supported for Okta:

  • SAML:

    • IdP-initiated SSO

    • SP-initiated SSO

    • Just-In-Time provisioning

  • SCIM:

    • Create users

    • Update user attributes

    • Deactivate users

    • Group push

For more information on the listed features, visit the Okta Glossary.

Configure SAML SSO with Okta

The instructions in this article are specific to Okta. If you use a different identity provider, please refer to this article instead.

Part 1: Enable SSO in Coda

The first step to setting up SSO is to enable it for your org on Coda. If you’re an org admin, you can follow the steps below to do so:

  1. In the upper left corner, select Admin settings

  2. Search for - or scroll to - the Authentication methods tab (within the Security section)

  3. Scroll down to the Authenticate with SSO (SAML) option, and toggle this on. Then click Configure SAML.

  4. Click into the SAML provider dropdown, and choose Okta from the list of options.

  5. Copy the Tenant ID value.

  6. Continue on to Part 2 below.

Part 2: Create a new application in Okta

The next part of the process takes place in Okta.

  1. In the Okta Admin Dashboard, find Coda under your applications.

  2. Click into the Sign on tab, then click Edit.

  3. Scroll down to the Advanced Sign-on Settings section, and enter the value of the Tenant ID from previous section into the provided field. Then click Save.

  4. Slightly above the Advanced Sign-On Settings section, you should see a section titled Metadata details. Locate and copy the Metadata URL. You’ll need this URL for part 3.

Configure SAML SSO in Okta.gif

Part 3: Configure SAML SSO in Coda

  1. Back in the Coda SAML setup dashboard, paste the URL from the step above into the Metadata URL field (found in the From Okta section on the right). Click the Import button.

    1. Sign on URL, Issuer, and Signing certificate will auto-fill. Make any manual edits if needed.

  2. Your SAML configuration for Okta -> Coda is complete. You can start assigning people to the application.

Notes

The following SAML attributes are supported for Okta:

Property

FieldName from Okta

First name

user.firstName

Last name

user.lastName

Service provider-initiated SSO

To initiate SSO from Coda:

  1. Click SSO

  2. Enter your email address and click Continue

Manage SSO for multiple workspaces

If you have multiple Coda workspaces within your Enterprise org and want to use SSO, you may be wondering how the right users are assigned to the right workspace. That’s where SAML assertions comes in.

To get started with SAML assertions for multiple workspaces, you’ll first need to contact your account team (or reach out to us via this form) to enable the feature.

Once SAML assertions has been enabled, you will need map users to the correct Coda workspaces within your Okta account. This can be done in the SAML Settings > Group Attribute Statements. Refer to this link for more details. Note that you will need to create a custom app integration rather than use the native Coda app.

The mapping should match the following format:

<saml2:AttributeStatement> 
<saml2:Attribute Name="coda/workspaces/ws-Abcd1234">
...
</saml2:Attribute>
<saml2:Attribute Name="coda/workspaces/ws-Abcd5678">
...
</saml2:Attribute>
</saml2:AttributeStatement>

Finally, you can complete the setup in your Coda admin settings, under the Workspace assignment tab. Scroll to the Workspace membership assignment setting, and select the Manage via SAML assertions option.

Configure SCIM with Okta

Part 1: Enable SCIM in Coda

The first step is to enable SCIM within your Coda organization settings. Note that you must be an Enterprise org admin to follow these steps:

  1. In the left panel, select Admin settings

  2. Go to the Provisioning tab.

  3. Toggle on the Provision with SCIM setting.

  4. Click Generate New Token. (Note: Only one SCIM token is valid at a time. If SCIM was previously configured, generating a new token invalidates the previous token.)

  5. Note the SCIM Base URL and SCIM Bearer Token. You will need this information later.

Part 2: Configure SCIM in Okta

Next, you’ll need to configure SCIM within Okta:

  1. In Okta, click on the Provisioning tab in your Coda integration app.

  2. Click Configure API Integration.

  3. Check the resulting Enable API Integration checkbox.

  4. Copy the SCIM Base URL from Coda (see the steps in the section above) into the Base URL field.

  5. Copy the SCIM Bearer Token from Coda into the API Token field.

  6. If you want to enable provisioning of groups in Coda, check the Import Groups checkbox. This will allow users in Coda to share with groups of users that you define in Okta.

  7. Click Test API Credentials to verify you have correctly completed these steps.

  8. Finally, click Save to enable provisioning.

Configure SCIM in Okta.gif


Related resources

Did this answer your question?