# Okta SAML SSO
source: https://docs.chalk.ai/docs/okta-saml

## Setting up Okta to work with Chalk

Chalk is capable of using standard SSO providers like Google and GitHub for SSO authentication.
For companies that use Okta, additional configuration is required.

### Supported Features

- IDP-initiated Single Sign-On, initiated via Okta
- SP-initiated Single Sign-On, initiated from Chalk
- Push group and user provisioning via SCIM, initiated from Okta

### Requirements

- Configure a custom SAML app in Okta's dashboard
- Send configuration parameters to Chalk support

### Customers with Self-Hosted Web Dashboards

For customers whose self-hosted deployments include a full API server and frontend deployment via helm,
this page is only part of the setup needed to configure SAML. After completing this guide, please refer to
the Cloud Auth documentation to complete setup.

If your chalk web dashboard is not https://chalk.ai, some the values below will vary:

- Single Sign On URL: Should start with your custom URL and not chalk.ai, but retain the same URL path
- Audience URI: This should start with your custom URL and not chalk.ai
- Chalk's SAML Certificate is regenerated for each custom web dashboard - if your team did not generate this themselves, contact Chalk for support

### Configure Okta

- Navigate to your Okta admin dashboard
- Choose "Create App Integration"Choose "SAML 2.0" for "Sign-in Method"Choose "Web Application" for "Application type"
- General SettingsName this application ("Chalk", for example)Upload the Chalk logo (download here).
- Configure SAMLSingle sign on URL: https://chalk.ai/api/auth/login/samlMake sure that "Use this for the Recipient URL and Destination URL" is checkedAudience URI: https://chalk.ai/api/saml/metadata.xmlDefault RelayState: Leave blankName ID Format: UnspecifiedApplication username: EmailUpdate application username: Create and updateShow advanced settingsChange "Assertion Encryption" to EncryptedUpload Chalk's SAML certificate (download here)Attribute Statementsgiven_nameName format: unspecifiedValue: user.firstNamelast_nameName format: unspecifiedValue: user.lastName
- FeedbackCheck "I'm an Okta customer adding an internal app"
- On the resulting page, click "View SAML Setup Instructions". You'll be presented with text boxes showing:Identity Provider Single Sign-On URLIdentity Provider IssuerX.509 Certificate
- Send all three values to Chalk support