How to set up Single Sign-On (SSO) with Okta for Avoma

Avoma supports Single Sign-On (SSO) using Okta to help you manage access across your organization securely. You can configure SSO using either the OIDC or SAML 2.0 protocol, based on your organization’s preference.

This guide walks you through the steps to integrate Okta with Avoma using both options.

Once SSO is enabled, users will only be able to log in using SSO. Other login methods — including Google or Microsoft sign-in, will be disabled.

Prerequisites

Before you begin:

• You must be on the Organization plan or higher in Avoma
• You must have Admin privileges in Avoma to request SSO setup
• You must be an Admin in Okta to configure the integration
• Your users should be provisioned in Okta and assigned to the Avoma app
• You’ll need to share configuration values (Client ID, Secret, or Metadata) with Avoma Support or your Customer Success Manager

While we recommend Okta Open ID Connect (OIDC) as the preferred authentication protocol for SSO with Avoma, we also support SAML 2.0 authentication protocol. 

1. Setting up SSO for Avoma with Okta OIDC

2. Setting up SSO with Okta SAML 2.0

You can choose either ways to setup SSO. 

Option 1: Set up SSO using Okta with OIDC (Recommended)

If your organization uses Okta as its identity provider, we recommend setting up SSO with OpenID Connect (OIDC). This modern authentication protocol is fully supported by Avoma and offers enhanced security and performance.

The setup includes two steps:

1. Create an OIDC app in Okta
2. Share your configuration details with Avoma

Step 1: Create an OIDC app in Okta

1. Log in to your Okta account > Admin > Applications section.
   
   
   
   
2. Click on Create App Integration
   
   
3. Choose:
   
   • Sign-in method: OIDC – OpenID Connect
   • Application type: Web Application
     
   Click Next
   
   

4. In General Settings choose: 

   • App name: Avoma (OIDC)
   • Grant type: Authorization Code (with PKCE)
   
   
   
   
5. In the Login section,
   
   1. Enter https://app.avoma.com/okta/oidc in the Sign-in redirect URIs field.
      If you also use mobile app , Add additional URI  "com.avoma:/callback" in the Sign-in redirect URIs field
   2. Enter https://app.avoma.com/login in the Sign-out redirect URIs field
      
      
   
   
   
   
6. In the controlled access section, choose “Skip group assignment for now“
   
7. Click Save. A custom OIDC Okta app will be created. Continue to configure the app and assign users to it.
8. Make note of the Client credentials - Client ID and Client Secret.
9. Go back to the new app and  look for the LOGIN in the General tab.
10. In the “Login initiated by” section, select “Either Okta or app”.
11. For Application Visibility, select “Display application icon to users“
12. For Login flow, select Redirect to app to initiate login (OIDC Compliant).
13. For Initiate login URI, enter: https://app.avoma.com/oidc/login
    
14. Click Save.
15. Click the Sign On tab and go to the Open ID Connect ID Token section.
16. For the Issuer URL, select Okta URL. Make a note of it. The URL usually appears in the following format: https://<companyname>.okta.com.
    
    
17. Now go to the Assignments tab and assign the app users and/or groups that should have access to Avoma.
    

Step 2: Share your OIDC details with Avoma

Currently, Avoma sets up an SSO on your behalf for your organization. Please contact Avoma Support or your Customer Success Manager and provide the following details:

1. Client ID
2. Client Secret
3. Issuer URL

Once Avoma has configured SSO for you, you will receive a confirmation. Avoma will also terminate the existing sessions for all your users so that they can freshly log in using SSO.

Your users can then start using the SSO option on the Avoma login screen to access their accounts. 

Option 2: Setting up SSO with Okta SAML 2.0

Setting up SSO for Avoma with Okta SAML is a two step process.

1. Create an Avoma app in Okta with SAML 2.0 option
2. Provide details to set up Okta SAML SSO in Avoma.

Step 1 : Create an Avoma app in Okta with SAML 2.0 option

1. Log in to your Okta account > Admin > Applications section.
   
2. Click on Create App Integration
   
3. Select "SAML 2.0" as the Sign-In Method and "Web Application" as the Application Type. Then click on the "Next" button.
   
4. Enter the App Name on the next screen and hit Next. 
   
5. In the SAML settings section , enter "https://prod-api.avoma.com/saml2/acs" in the Single sign-on URL and enable the checkbox . 
6. In the Audience URI and Default Relay state enter "https://app.avoma.com" . 
7. Select "Email Address" for the Name ID format  ,
8. Select "Email" for Application User Name
9. Select  "Create and Update" for Update Application Username on setting. 
   
10. In the Attribute Statements section, enter values as shown below
    
11. Scroll down to click Next.
12. Select "It's required to contact vendor to enable SAML" and click Finish. 
    
    
    
13. Your SAML app creation is complete. You will be shown a screen with details about the Metadata URL and Issuer. Copy the Metadata URL and Issuer. 
    
    
14. Now go to the Assignments tab and assign the app users and/or groups that should have access to Avoma.
    
    
    
15. SAML Settings should look like this when you click on the "General" Tab in the UI
    

Step 2: Provide details to set up Okta SAML SSO in Avoma

Currently, Avoma sets up an SSO on your behalf for your organization. Please contact Avoma Support or your Customer Success Manager and provide the following details:

• Metadata URL copied in Step 1
• Issuer copied in Step 1

Once Avoma has configured SSO for you, you will receive a confirmation. Avoma will also terminate the existing sessions for all your users so that they can freshly log in using SSO.

Your users can then start using the SSO option on the Avoma login screen to access their accounts.