Skip to main content

Set up SAML SSO with Okta

How to enable SSO on your Go1 platform using Okta

This guide helps Okta admins connect Go1 to Okta using SAML single sign-on (SSO).

Before you start

You will need:

  • Admin access to Okta.

  • Admin access to your Go1 portal.

  • Your Go1 portal URL.

  • Your Go1 portal ID.

  • A test learner account in Okta.

1. Create the SAML app integration

  1. Sign in to Okta Admin.

  2. Go to Applications.

  3. Select Create App Integration.

  4. Select SAML 2.0.

  5. Select Next.

  6. Enter a clear app name, such as Go1.

  7. Select Next.

2. Add Go1 SAML settings

In Configure SAML, add these values:

Okta field

Go1 value

Single sign-on URL

https://auth-go1-sso-user-pool-prod-1.auth.ap-southeast-2.amazoncognito.com/saml2/idpresponse

Audience URI (SP Entity ID)

urn:amazon:cognito:sp:ap-southeast-2_oZpTmvPtK

Default RelayState

identity_provider=saml-{customer portal id}&client_id=33hckk53i9d9hn55djs3j1hk5&scope=openid&response_type=code&redirect_uri=https://api.go1.co/sso/saml/cognito-callback/ap-southeast-2_oZpTmvPtK

Replace {customer portal id} with your Go1 portal ID.

Default RelayState is required if you want learners to start from Okta. If learners always start from the Go1 login page, you may not need IdP-initiated sign-in.

3. Add attribute statements

Add these attribute statements so Okta sends learner details to Go1:

Name

Name format

Value

https://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

Unspecified

user.email

https://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

Unspecified

user.firstName

https://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

Unspecified

user.lastName

https://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality

Unspecified

user.locale

4. Assign users or groups

Assign the Go1 application to the Okta users or groups who should be able to sign in to Go1. Use a small test group first.

5. Copy Okta details into Go1

In Okta, open the Sign On tab for the Go1 app and review the SAML setup details.

Copy these values into Go1:

Go1 field

Okta value

Sign-in URL

Sign on URL

Entity ID

Issuer

X.509 certificate

Signing certificate

Logout URL

Single Logout URL, if configured

In Go1, use this field mapping

{   
"email": "https://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "family_name": "https://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "given_name": "https://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "locale": "https://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality"
}

If you configured Default RelayState and want learners to start from Okta, enable IdP-initiated SSO in Go1.

Leave encrypted SAML assertions off unless Go1 has provided an encryption certificate and your Okta setup has been configured to use it.

6. Test sign-in

  1. Sign in as a test learner assigned to the Go1 application.

  2. Confirm the learner can reach Go1.

  3. Confirm the learner's email, first name, and last name are correct.

  4. If you mapped locale, confirm the learner's platform language is set as expected.

If sign-in fails, check that Okta is sending every attribute that is mapped in Go1.

Did this answer your question?