Skip to main content
Okta SSO and SCIM provisioning are available on the Enterprise plan. Contact Sales or Courier Support to get started.

How It Works

Okta SSO for Courier uses SAML 2.0 through AWS Cognito. Setup is a joint process between your team and Courier:
  1. You create a SAML 2.0 app in Okta using the values provided below.
  2. You send the SAML metadata URL and your email domain(s) to Courier Support.
  3. Courier configures the backend to recognize your identity provider and maps your domain(s) to Okta.
  4. You test SSO login and set up the bookmark app for your team.

Prerequisites

  • An Okta account with Admin privileges.
  • A list of users who will access Courier and their intended roles (e.g., Administrator, Developer, Designer, Analyst). You’ll assign these when provisioning users through Okta.
  • Contact Courier Support before starting so your backend configuration can be coordinated with the steps below.

Create the App Integration in Okta

1

Open the Applications page

Navigate to the Applications > Applications section of the Okta admin panel and hit the “Create App Integration” button.
Create App Integration button.
2

Select SAML 2.0

Select SAML 2.0 as the sign-in method and hit “Next”.
Select Sign-in Method
3

Name your app

Enter Courier as the app name and optionally provide the Courier logo, then click “Next”.
App Name & Logo
You can optionally upload the Courier logo. Download it here.
4

Enter SAML settings

Enter the following values in their respective fields under SAML settings:
  • Single sign-on URL: https://courier.auth.us-east-1.amazoncognito.com/saml2/idpresponse
  • Audience URI (SP Entity ID): urn:amazon:cognito:sp:us-east-1_ptbRzqiLw
SSO URL and Audience URI fields
5

Configure attribute statements

In the Attribute Statements section, enter the following information:
NameName FormatValue
idUnspecifieduser.id
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressUnspecifieduser.email
Okta attribute statements.
6

Finish the app creation

Hit “Next”, then under “Application Feedback” select “I’m an Okta customer adding an internal app” and hit “Finish”.
Okta feedback form
7

Send the Metadata URL to Courier

From the “Sign On” tab of the new Courier application integration, find the Metadata URL. Copy the link address and send it to the Courier support team member.
Okta Metadata URL
8

Confirm your email domains

Along with the metadata URL, confirm which email domain(s) should route through Okta (e.g., yourcompany.com). If your organization uses multiple domains, list all of them.
That’s all you need for Okta sign-in. Assign users from the Assignments tab of the Courier app integration in Okta.

Creating a Courier Bookmark App

Courier does not support IdP-initiated login, so users cannot launch Courier by clicking an app tile in Okta. Instead, create a bookmark app that points to your SSO login URL. Once Courier Support has configured your SSO backend, your bookmark URL will follow this pattern (replace YOUR_PROVIDER_NAME with the provider name Courier gives you): 
https://courier.auth.us-east-1.amazoncognito.com/oauth2/authorize?response_type=token&identity_provider=YOUR_PROVIDER_NAME&client_id=5f4fmec2qnuscp89qbt8nsuftj&redirect_uri=https%3A%2F%2Fapp.courier.com%2Flogin%2Fcallback&scope=aws.cognito.signin.user.admin%20email%20openid%20profile
Courier Support will provide your specific provider name (e.g., OktaYourCompany) and the complete bookmark URL after backend configuration is complete.
1

Open the Okta admin panel

Log in to the Okta admin panel as an Admin and go to Applications > Applications.
2

Add a Bookmark App

Click Browse App Catalog, search for Bookmark App, select it, and click Add.
3

Configure the bookmark

Enter an app name (e.g. Courier Login) and paste the bookmark URL from Courier Support into the URL field.
Okta Bookmark App Settings
4

Save and assign

Click Save, then assign to users to test.

Migrating Users to Okta

Enabling Okta SSO does not automatically switch existing users to Okta. Users who signed up with email or Google will continue using their original login method until they are re-invited. To migrate them:
1

Check Google SSO settings

From the Settings > Team page in Courier, confirm that “Require Google SSO” is not checked.
Google SSO checkbox in team settings
2

Re-invite users

Remove and re-invite any users who should sign in with Okta.
If SCIM provisioning is enabled, the manual “Invite User” button is hidden in Courier. Migration must go through Okta app assignments — assign the user in Okta, and SCIM will send them a new invite automatically.

Accepting an Okta Invitation

1

Sign out of Courier

Sign out of any existing Courier session.
2

Open the invite

Click the “join” button from the email invite.
3

Enter your work email

Enter your work email (the email address your invite was sent to) and hit continue.
Courier login page with email entry
Users with Okta logins to Courier must use the email login process.
Email login process for Okta users

User Provisioning with Okta SCIM v2

1

Get SCIM credentials

Contact Courier support for a SCIM endpoint URL and bearer token.
2

Open provisioning settings

Navigate to the Courier App from the Okta admin panel, go to the provisioning tab, and click “Edit”.
Okta provisioning tab with Edit button
3

Configure the SCIM connector

Enter the following settings:
  • SCIM connector base URL: the URL provided by Courier
  • Unique identifier field for users: userName
  • Supported provisioning actions: check “Push New Users” and “Push Profile Updates”
  • Authentication Mode: HTTP Header
  • Bearer token: the token provided by Courier
SCIM connector URL and authentication settings
Hit “Save”.
4

Enable provisioning to app

After 30 seconds the provisioning tab should have a “To App” section on the left. If it doesn’t, try refreshing the page. Once it appears, select it and hit the “Edit” button. Check “Create Users”, “Update User Attributes”, and “Deactivate Users”, then hit save.
5

Open the Profile Editor

Using the side menu, navigate to Directory > Profile Editor and hit the edit profile button of the Courier App.
6

Add the role attribute

Hit the “Add Attribute” button and enter the following values:
  • Data type: string
  • Display name: Role
  • Variable name: role
  • External name: role
  • External namespace: urn:ietf:params:scim:schemas:core:2.0:User
  • Description: Courier Role
7

Define role values

Check the “Define enumerated list of values” checkbox and enter the following values:
  • Display Name: Admin, Value: ADMINISTRATOR
  • Display Name: Manager, Value: MANAGER
  • Display Name: Developer, Value: DEVELOPER
  • Display Name: Designer, Value: DESIGNER
  • Display Name: Support, Value: SUPPORT_SPECIALIST
  • Display Name: Analyst, Value: ANALYST
Check the “Attribute required” checkbox and hit “save”.
If the role attribute is not set on a user’s Okta app assignment, they default to the Analyst role with the lowest permission level. Set a sensible default (e.g., DEVELOPER) in the Profile Editor and override only for administrators and managers.
If users were already assigned to the Courier app before you set up provisioning, edit their assignment and update their role.

Finalizing User Provisioning

  • Changes to user assignments in the Courier Okta app will automatically be reflected in the Courier Workspace.
  • Users will receive an invite via email to Courier when added.
  • Users are automatically removed from the Courier Workspace when no longer assigned in Okta.

Troubleshooting

SymptomCauseFix
”You must be signed in with an SSO provider” message in CourierYou’re logged in via email or Google, not Okta SSO. The SSO management page only appears for SSO-authenticated sessions.Log out and sign in again through the Okta bookmark app or via email login flow.
All users showing as Analyst roleThe role attribute is not set on their Okta app assignments.Edit each user’s assignment in Okta and set the role value. Consider setting a default in the Profile Editor.
Workspace shows “Free plan”This is a display artifact of the Analyst role’s reduced permissions. The actual plan is tied to the workspace, not the user.Restore the user’s intended role (e.g., ADMINISTRATOR) via their Okta assignment.
Can’t click Courier tile in Okta to log inCourier’s auth provider (AWS Cognito) does not support IdP-initiated login.Use the bookmark app instead.
SCIM-provisioned users can’t accept invitesInvite verification codes expire after 14 days. If users don’t accept in time, subsequent SCIM syncs find stale invitation objects and skip re-sending.Delete the stale invitation objects, then re-push users from Okta (remove and re-assign). Note: Okta group membership changes may not trigger SCIM events; use app-level assignment changes.
”Invite User” button missing in CourierSCIM provisioning is enabled, which hides manual team management.Manage users through Okta app assignments instead.