Set Up SSO with Okta
This feature is only available on the Team and Enterprise Plans. Please contact Sales before doing these steps.
Looking for docs on how to add Single Sign-On support in your Supabase project? Head on over to Single Sign-On with SAML 2.0 for Projects.
Supabase supports single sign-on (SSO) using Okta.
Step 1: Choose Create App Integration in the Applications dashboard
Navigate to the Applications dashboard of the Okta admin console. Click Create App Integration.
Step 2: Choose SAML 2.0 in the app integration dialog
Supabase supports the SAML 2.0 SSO protocol. Choose it from the Create a new app integration dialog.
Step 3: Fill out General Settings
The information you enter here is for visibility into your Okta applications menu. You can choose any values you like. Supabase as a name works well for most use cases.
Step 4: Fill out SAML Settings
These settings let Supabase use SAML 2.0 properly with your Okta application. Make sure you enter this information exactly as shown on in this table and screenshot.
| Setting | Value |
|---|---|
| Single sign-on URL | https://alt.supabase.io/auth/v1/sso/saml/acs |
| Use this for Recipient URL and Destination URL | ✔️ |
| Audience URI (SP Entity ID) | https://alt.supabase.io/auth/v1/sso/saml/metadata |
| Default RelayState | https://supabase.com/dashboard |
| Name ID format | EmailAddress |
| Application username | |
| Update application username on | Create and update |
Step 5: Fill out Attribute Statements
Attribute Statements allow Supabase to get information about your Okta users on each login.
A email to user.email statement is required. Other mappings shown below are optional and configurable depending on your Okta setup. If in doubt, replicate the same config as shown.
Please share any changes, if any, from this screen with your Supabase support contact.
Step 6: Obtain IdP metadata URL
Supabase needs to finalize enabling single sign-on with your Okta application.
To do this scroll down to the SAML Signing Certificates section on the Sign On tab of the Supabase application. Pick the the SHA-2 row with an Active status. Click on the Actions dropdown button and then on the View IdP Metadata.
This will open up the SAML 2.0 Metadata XML file in a new tab in your browser. Copy this URL and send it to your support contact and await further instructions. If you're not clear who to send this link to or need further assistance, contact Supabase Support.
The link usually has this structure: https://<okta-org>.okta.com/apps/<app-id>/sso/saml/metadata
Step 7: Wait for confirmation
Once you’ve configured the Okta app as shown above, make sure you send the metadata URL and information regarding the attribute statements (if any changes are applicable) to your support contact at Supabase.
Wait for confirmation that this information has successfully been added to Supabase. It usually takes us 1 business day to configure this information for you.
Step 8: Test single sign-on
Once you’ve received confirmation from your support contact at Supabase that SSO setup has been completed for your enterprise, you can ask some of your users to sign in via their Okta account.
You ask them to enter their email address on the Sign in with SSO page.
If sign in is not working correctly, please reach out to your support contact at Supabase for further guidance.