Skip to main content
This guide walks workspace owners through connecting Okta as a SAML identity provider for Retrac. SAML SSO is available on Enterprise plans.
Test in a staging Okta app before enforcing SSO on production users. Keep at least one break-glass owner account with a non-SSO recovery path.

Prerequisites

  • Okta admin access
  • Retrac workspace owner role
  • Enterprise plan with SAML enabled

Set up Okta SAML

1

Open Retrac Security settings

In Retrac, go to Settings → Security and click to configure SAML Single Sign-On. Select Okta as your identity provider.
2

Create a SAML app in Okta

In the Okta Admin Console, go to Applications → Create App Integration.Choose SAML 2.0, name the app Retrac, and continue.
3

Enter Retrac SP details

From the Retrac SAML setup modal, copy the ACS URL and Entity ID. Enter them in Okta:
  • Single sign-on URL — Retrac ACS URL
  • Audience URI (SP Entity ID) — Retrac Entity ID
  • Name ID format — EmailAddress
  • Application username — Email
4

Copy the metadata URL

Step 4: Copy the metadata URL

After saving the Okta SAML app, Okta provides an Identity Provider metadata URL.
  1. In Okta, open the Sign On tab for the Retrac app.
  2. Under SAML 2.0, copy the Metadata URL (or download metadata XML).
  3. In Retrac Settings → Security, paste the metadata URL into the SAML configuration form.
  4. Save the configuration in Retrac.
Retrac uses this metadata to trust Okta’s signing certificate and SSO endpoint.
5

Configure attribute statements

Ensure Okta sends an email attribute Retrac can use to identify the user:
Okta attributeRetrac expects
user.emailEmail address
Add optional firstName and lastName attributes if your Retrac setup maps display names.
6

Assign users and test

Assign the Retrac app to Okta users or groups.
  1. Sign out of Retrac.
  2. On the login page, click Sign in with SAML, or use Okta dashboard SSO.
  3. Confirm you land in the correct workspace.
Use Okta’s View SAML setup instructions if you need to verify ACS URL and audience values side by side.

Remove SAML

Owners can disconnect SAML from Settings → Security. Coordinate with your IT team before removing production SSO. See Security documentation and Okta SCIM for user provisioning.