What you’ll need
- Okta admin dashboard access
- Deeto vendor admin access
- Your Deeto
integrationId(obtained in Step 1 below)
Step 1 — Create the integration in Deeto
Before configuring Okta, create a placeholder integration in Deeto to obtain theintegrationId. This ID is required to build the ACS URL you’ll paste into Okta.
Contact your Deeto Customer Success Manager or support@deeto.ai to have this created. You’ll receive an integrationId (a UUID) in return.
Save your
integrationId — you’ll need it to construct the ACS URL and Audience URI in the next steps.Step 2 — Create a SAML app in Okta
1
Start the app wizard
Log in to your Okta Admin Console. Go to Applications → Applications → Create App Integration. Select SAML 2.0 and click Next.
2
General Settings
Enter Deeto SSO (or any descriptive name) as the app name. Optionally upload the Deeto logo. Click Next.
3
Configure SAML tab
Fill in the following fields:
Replace
{integrationId} with the UUID provided by Deeto.4
Configure SAML signing settings
Click Show Advanced Settings and set:
5
Add attribute statements (recommended)
Add the following attributes so Okta sends the user’s name alongside authentication:
Deeto uses NameID (email) for user lookup — attribute statements are not required for authentication to work, but are recommended for profile completeness.
6
Finish
Click Next. On the Feedback page, select “I’m an Okta customer adding an internal app” and click Finish.
Step 3 — Get the Okta metadata URL
After saving the app in Okta:- Go to the Sign On tab of the Deeto SSO app
- Scroll to SAML Signing Certificates and click View IdP metadata, OR click More details and copy the Metadata URL
Step 4 — Send metadata to Deeto
Send your Okta metadata URL to Deeto so the integration can be finalized:- Copy the metadata URL from Step 3
- Send it to your Deeto CSM or email it to support@deeto.ai
Step 5 — Assign users in Okta
In the Okta app, go to the Assignments tab. Click Assign → Assign to People (or Assign to Groups for group-based access). Add the users who should authenticate into Deeto via SSO.Only users who are both assigned in Okta and have an existing Deeto account with a matching email address will be able to authenticate.
Step 6 — Test the login
Once Deeto confirms the integration is active:- Log into Okta as a test user
- Click the Deeto SSO app tile on the Okta dashboard
- You should be redirected to Deeto and logged in automatically
Certificate rotation
Okta rotates signing certificates periodically. When this happens, SAML authentication will fail until the certificate is updated in Deeto. When you see authentication errors after a certificate rotation:- In Okta: go to Sign On → SAML Signing Certificates to confirm the new active certificate
- Send the updated metadata URL to support@deeto.ai
- Deeto will update the integration — no downtime required beyond the time to process the update
Troubleshooting
errors.access_denied immediately on login
errors.access_denied immediately on login
The IdP certificate or issuer value doesn’t match what Deeto has on file. Ask Deeto to re-parse your metadata URL and update the integration.
errors.access_denied after certificate appears correct
errors.access_denied after certificate appears correct
The authenticating user’s email address doesn’t exist in Deeto. Create the user account in Deeto first, then retry.
SAML signature validation failed
SAML signature validation failed
Okta’s signing certificate was rotated. Follow the certificate rotation steps above.
Redirect loop after login
Redirect loop after login
The ACS URL in Okta doesn’t match the
integrationId. Re-check the Single Sign-On URL in the Okta app matches exactly: https://api.deeto.ai/v2/sso/integration/saml/{integrationId}/acs.NameID format error
NameID format error
Okta is sending a persistent or transient NameID instead of email. Ensure Name ID format is set to
EmailAddress in the Okta SAML configuration tab.Assertion not signed
Assertion not signed
Ensure Assertion Signature is set to Signed in the Advanced Settings section of the Okta SAML configuration.