Okta SSO

This guide walks you through connecting Okta to Peerdom for single sign-on and automatic user sync. The setup has two parts: a SAML application for login and an API Services application for sync. You need admin access to the Okta Admin Console to complete these steps.

Before you begin, review the SSO overview to understand how Peerdom handles user provisioning, daily sync, and login behavior.

Part 1: SAML application (login)

Step 1: Create a Peerdom user group

Create a new group in Okta and assign all users who should have access to Peerdom. Note the Group ID for later.

Step 2: Create the SAML application

Navigate to Applications > Applications and create a new application. Select SAML 2.0 as the type. Name the application Peerdom Login (or a name of your choice).

Step 3: Configure SAML settings

Enter the following values:

• Single Sign On URL: https://backend.peerdom.org/auth/saml/return
• Audience URI: provided by Peerdom support
• Name ID format: EmailAddress
• Application username: Okta Username

Step 4: Download the certificate

After creating the application, go to the Sign On tab. Download the SHA-2 certificate from the Certificates section.

Part 2: API Services application (sync)

Step 5: Create the API Services application

Navigate to Applications > Applications and create a new application of type API Services. Name it Peerdom Sync. Note the Application (Client) ID.

Step 6: Disable Proof of Possession

On the application’s General tab, verify that Proof of Possession is turned off.

Step 7: Set up credentials

Under Client Credentials, click Edit and change the key type to Public key / Private key. Click Add Key, then Generate New Key. Copy and save the JSON certificate displayed at the bottom of the dialog. You cannot retrieve this certificate later.

Save the JSON certificate in a secure location immediately after generating it. There is no way to retrieve or regenerate the same key once the dialog is closed.

Step 8: Grant API scopes

Navigate to the Okta API Scopes tab. Search for and grant the following scopes:

• okta.users.read
• okta.groups.read

Step 9: Assign the admin role

Navigate to the Admin Roles tab. Click Edit Assignments and select Read-only Administrator. Save the changes.

Send credentials to Peerdom

Contact Peerdom support with the following information:

1. Okta domain (for example, yourcompany.okta.com)
2. Group ID for Peerdom users
3. SAML Sign On URL from the Peerdom Login application
4. SHA-2 certificate file
5. Application (Client) ID from the Peerdom Sync application
6. JSON certificate from the key generation step

Peerdom support will complete the connection and confirm that both login and sync are working.

Once SSO is active, synced users appear in the Directory app. Synced fields are greyed out and can only be changed in Okta.

Related

• Single Sign-On (SSO), overview of SSO features and sync behavior
• Microsoft Entra ID SSO, alternative provider setup
• Google Workspace SSO, alternative provider setup
• Directory, manage your synced user list