Single Sign-On with Okta


Before getting started, please note the following:

🔜 Considerations - Setting up SSO for Ketch shuts down access to the instance for Ketch CSM and support team. Therefore its highly recommended that you create logins for key Ketch personnel during the implementation phase. If its not possible, then its advisable to only switch to SSO post implementation but before go-live as installing an SSO involves deleting and re-inviting users to your Ketch instance. This means that all existing set-ups (e.g. user permissions & workflow assignees) will have to be redone by your company Ketch admin.

🔲 Okta tile limitations - Due to a limitation in Okta/Auth0, we can currently only support Service Provider-initiated SSO, so clicking on a tile in Okta dashboard may not log you directly into your organization. However, logging in via the Ketch app directly will seamlessly leverage your Okta SSO. If you would like to be able to visit Ketch from a tile however, Okta administrators can hide the normal IdP initiated SSO tile and create a Service Initiated SSO tile which acts as a ‘bookmark’ to

🔢 Setting up Okta on multiple Ketch instances - If you are provisioned additional Ketch organizations, we will need to enable SSO on each organization individually. There are no additional steps required in Okta, as we simply need to enable your company's existing Okta SSO configuration on your new organization, but it is a manual step.

To complete this setup, let your customer success representative or your account executive that you would like to set up Okta in advance and we will provide you with the following:

  • Unique Single Sign-On URL
  • Unique Audience URI (SP Entity ID)

1. Open up the Okta Dashboard

  • Click Admin (top right)
  • Click on the Applications tab
  • Click Create App Integration
  • Select SAML 2.0
  • Click Next

2. Set up General Settings

  • Enter Ketch as app name
  • Download the Ketch Logo png provided below and upload:
  • Click Apply
  • Click Next

3. Create SAML Integration

Enter the following:

Single Sign-On URLUse your unique company URL provided by Ketch (make sure check box below is selected)
Audience URI (SP Entity ID)Use your unique company URI provided by Ketch
Default Relay StateLeave blank
Name ID FormatUnspecified
Application usernameEmail
Update application username onCreate and update

4. Scroll down to 'Attribute Statements'

Enter the following attributes, using the Add Another button to enter a new entry:

  • Scroll to the bottom of the page and click Next

5. Okta Support Page

  • Select I’m an Okta customer adding an internal app
  • Select It’s required to contact the vendor to enable SAML
  • Click Finish

6. Configure Ketch to trust Okta

  • Scroll down to the bottom of the new page and click 'View SAML setup instructions'

Then provide the following information to your Ketch Customer Success Manager via email or your decided mode of communication e.g. Slack:

  1. ID Provider Name / Details
  2. The Identity Provider Domain(s) you use for logins
  3. Identity Provider Single Sign-On URL (copy and paste)
  4. Identity Provider Issuer (copy and paste)
  5. X.509 Certificate (download certificate and send as a file attachment)


In the mean time...

Ensure you have assigned users/groups to the application per company policy

Once we have received this information and made the configuration changes to your Ketch account, the Okta SSO will be functional!