# Setting up Okta

Pynt supports setting up external identity provider (IdP) for authentication, such as Okta. This allows organizations using Okta to control how their employees access Pynt and remove their need to manage any credentials.

The high-level steps to set SSO (Single Sign-On) with Okta are:

1. Add Pynt as an application in Okta
2. Set up SSO in Pynt
3. Add users to the Pynt application in Okta

## Requirements

* Verify you have administrator privileges for your Okta instance.
  * Your role should include [Application Administration](https://help.okta.com/en-us/content/topics/security/administrators-app-admin.htm)
* Verify you are an admin on Pynt and your organization has an active Enterprise license.

## Step 1: Add Pynt as an application in Okta

{% hint style="info" %}
Pynt supports only SP (Service Provider) initiated login, hence we'll add both a hidden SAML application and a visible Bookmark pointing to login.
{% endhint %}

### Add a SAML app

1. Go to Okta's Admin Console, then **Applications** > **Applications**. Click **Create App Integration**, select **SAML 2.0** as the Sign-in method and click **Next**.

   <div align="left"><figure><img src="/files/w2GMfW3wVCqVsinVR9Yu" alt="" width="375"><figcaption></figcaption></figure></div>
2. Choose `Pynt SAML` for the **App Name**, and check **Do not display application icon to users** ![](/files/rPOx2Lk3kVbycnOUHm1C)
3. Obtain the SAML settings from the **Single Sign-On (SSO)** section of Pynt's [User Management](https://app.pynt.io/dashboard/settings/users-management) page:

   * **Single sign-on URL** - `Assertion Consumer Services (ACS) URL`
   * **Audience URI (SP Entity ID)** - `Audience`
   * **Name ID Format**
   * **Application Username**

   ![](/files/JsIq5lb72yAqbj78OWqg)
4. Fill out the **Attribute Statements:**

   * `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname` - `user.firstName`
   * `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname` - `user.lastName`
   * `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` - `user.email`

   ![](/files/njIXqlETrpIRzhHtABC6)
5. In the **Feedback** screen, you can decide to fill the feedback or skip (by clicking **Finish**).
6. In the new app's **Sign On** tab, open the **Metadata URL** and save the contents as `metadata.xml` (or similar) in your computer (we'll use it in Step 2).

   ![](/files/m917NWgHXpxrAYhAVtyg)![](/files/h94SydhKvAo1KL42YJbd)

### Create a Bookmark App

1. Go to Okta's Admin Console, then **Applications** > **Applications**. Click **Browse App Catalog** and  search for **Bookmark App**. Click on **Add Integration**.

   <img src="/files/pO49bi3tDwVGf89jgoUy" alt="" data-size="original">
2. Choose an **Application Label** (e.g., **Pynt**) and fill `https://app.pynt.io/login` as the **URL**

   ![](/files/jv4m1NApaEecNqs2piJk)

## Step 2: Set up SSO in Pynt

Mail [support@pynt.io](mailto:support@pynt.io?subject=SSO+Setup) the `metadata.xml` file from the first step and ask to finalize the setup on Pynt's side.

If you want to limit specific domains for your organization (such as `@company.com`), include the list of these domains in your request.

## (Optional) Step 3: Assign roles to users

Pynt allows Just-in-time role setting by passing the `role` SAML attribute during the login.

1. Search for the **Pynt SAML** profile in the Directory -> Profile Editor page

   ![](/files/54Ozdget0aKO7v0yLDaG)
2. Add an attribute of type string, with the following set of values - `user` and `admin` ![](/files/q6hUEHHAEeQkoPwtfaPW)
3. Once saved, head to the **Pynt SAML** application page, and click **Edit** on the *SAML Settings*

   &#x20;![](/files/gDKOhgg8uklv19UZ0c7A)
4. Move to the **Configure SAML** step by clicking *Next*. Under **Attribute Statements** add a new attribute named `role` which maps to `appuser.role` (the `role` suffix should match the name of the attribute you added earlier in the profile). Continue to save the changes.

   &#x20;<img src="/files/BRMxO4xr7VrGPqwFvx9Y" alt="" data-size="original">
5. When assigning users, you can choose which role to assign (the default will be `user` in Pynt, unless explicitly assigned.)

## Step 4: Assign users to the Pynt application in Okta

Because our setup includes both a hidden SAML application and a visible bookmark app, the easiest setup will be to create a new group of Pynt users, assign both apps to the newly created group, and assign users to the group as needed.

Read more about users management in [Okta's documentation](https://help.okta.com/en-us/content/topics/users-groups-profiles/usgp-people.htm).

<figure><img src="/files/Xof7MrmngEabFjjWFZw6" alt=""><figcaption><p>How your employees will see the bookmark</p></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.pynt.io/documentation/account-management/single-sign-on-sso/setting-up-okta.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.