SAML SSO using Okta

Updated 2 weeks ago by Andrew White

Spoke is excited to offer an integration with Okta. This simply means that we've laid the groundwork for integrations to Okta, to save you time!

Supported Features

The Okta/Spoke ( SAML integration currently supports the following features:

  • SP-initiated SSO
  • IdP-initiated SSO
  • JIT (Just In Time) Provisioning

For more information on the listed features, visit the Okta Glossary.

For Spoke-specific SAML best practices, make sure you read the Before you Begin section.

Before you begin 

  • Only Spoke Admins have the superpowers to enable SAML for the organization.
  • After SAML is enabled, all non-admin members in Spoke must log in with SAML. Admins who have not setup a password will be prompted to with a banner in the web app. Admins can still log in with a password as needed.
  • Because the SSO setup will log out all users and admins, it’s best to setup SAML when there are few users logged in. Whether it be before launch, or outside of business hours.
  • Spoke offers just in time provisioning. This means that if a user logs into Spoke for the first time using SSO, an account will automatically be created.

Configuration Steps

Login to your Spoke account. Then navigate to Settings > SAML.

In a second tab, sign into the Okta Admin Dashboard. You will need to copy the following fields from Okta into Spoke.

  • Sign on URL
  • Issuer:
  • Public certificate:

Once you have pasted information into these fields, select "Test SAML Connection"

If everything has been filled in correctly, you will receive a message that your test has succeeded. To finish enabling SAML, click "Enable SAML"

Once enabled, all users will be logged out and need to log in using their Single Sign-on provider. Click "Yes, enable SAML and log out"


If you receive an error when enabling SAML, Spoke will highlight the field which contains the error in red.


  • Make sure that you entered the correct value in the Subdomain field under the General tab in Okta. Using the wrong value will prevent you from authenticating via SAML to Spoke.
  • The following SAML attributes are supported:
    • Name










SP-initiated SSO

  1. Go to: https://[your-subdomain]
  2. Enter your email, then click the arrow icon:
  3. Click Log in with SSO:

How did we do?