Okta SSO Integration
Set up Single Sign-On (SSO) and user provisioning with Okta and Courier.
Prerequisites
- Admin access to your Okta account
- The following from Courier Support:
- Single Sign-On (SSO) URL
- Audience URI (SP Entity ID)
- SCIM Endpoint URL and Bearer Token (if using provisioning)
- (optional) Bookmark URL
Configure SAML SSO
Create the Integration
- Navigate to Applications → Applications in Okta
- Click Create App Integration
- Configure basic settings:
- Sign-in method: Select
SAML 2.0and click Next - App name: Enter
Courier - Logo: Courier Logo
- Sign-in method: Select
Configure SAML Settings
- Enter the credentials:
- Single Sign-On (SSO) URL: [from Courier Support]
- Audience URI (SP Entity ID): [from Courier Support]
- Add these Attribute Statements:
- Name:
id
Format:Unspecified
Value:user.id - Name:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Format:Unspecified
Value:user.email
- Name:
- Complete setup:
- Select I'm an Okta customer adding an internal app
- Click Finish
- In the Sign On tab, find the Metadata URL and click Copy
- Send the Metadata URL to Courier Support
After Courier receives the metadata URL, we will configure the SSO integration on our end within 24 hours.
note
Remember to assign users to the app in Okta's Assignments tab.
Configure User Provisioning (SCIM)
info
SCIM provisioning automates user management between Okta and Courier.
Set Up SCIM Connection
- From your Courier App in Okta:
- Select the Provisioning tab
- Click Edit
- Enter SCIM settings:
- SCIM connector base URL:
[from Courier Support] - Unique identifier field:
userName - Authentication Mode:
HTTP Header - Bearer token:
[from Courier Support]
- SCIM connector base URL:
- Enable provisioning features:
- Push New Users
- Push Profile Updates
Enable User Management
-
In the To App section (refresh if not visible):
- Click Edit
- Enable:
- Create Users
- Update User Attributes
- Deactivate Users
-
Configure user roles:
- Navigate to Directory → Profile Editor
- Edit the Courier App profile
- Click Add Attribute
- Enter the following:
- Data type:
string - Display name:
Role - Variable name:
role - External name:
role - External namespace:
urn:ietf:params:scim:schemas:core:2.0:User - Description:
Courier Role
- Data type:
-
Enable Define enumerated list of values and
-
Enter the following Attribute Members:
| Role | System Value |
|---|---|
Admin | ADMINISTRATOR |
Manager | MANAGER |
Developer | DEVELOPER |
Designer | DESIGNER |
Support | SUPPORT_SPECIALIST |
Analyst | ANALYST |
- Enable Attribute required and click Save
warning
Existing users need manual role updates after enabling provisioning.
Create a Courier Bookmark App (Optional)
info
Contact Courier Support for the Bookmark URL before proceeding.
- In Okta admin panel:
- Click Browse App Catalog
- Search for Bookmark App
- Click Add
- Configure:
- App name:
Courier Login - URL: [From Courier Support]
- App name:
- Click Done
- Assign the app integration to the necessary users. See Assign app integrations.
Migrate Existing Users
- From Settings → Security:
- Ensure Require Google SSO is unchecked
- From Settings → Team:
- Remove users to be migrated
- Re-invite them through Okta
User Login Process
- Sign out of Courier
- Click the join button from the email invite
- Enter work email address
- Click continue
info
Users with Okta logins must use the email login process:
Troubleshooting
- If SCIM provisioning features aren't visible, wait 30 seconds and refresh
- For SSO issues, ensure email addresses match between Okta and Courier
- Contact Courier Support for configuration assistance.