Set Up SSO with Okta

This feature is only available on the Team and Enterprise Plans. If you are an existing Team or Enterprise Plan customer, continue with the setup below.

Looking for docs on how to add Single Sign-On support in your Supabase project? Head on over to Single Sign-On with SAML 2.0 for Projects.

Supabase supports single sign-on (SSO) using Okta.

Step 1: Choose to create an app integration in the applications dashboard

Navigate to the Applications dashboard of the Okta admin console. Click Create App Integration.

Okta dashboard: Create App Integration button

Step 2: Choose SAML 2.0 in the app integration dialog

Supabase supports the SAML 2.0 SSO protocol. Choose it from the Create a new app integration dialog.

Okta dashboard: Create new app integration dialog

Step 3: Fill out general settings

The information you enter here is for visibility into your Okta applications menu. You can choose any values you like. Supabase as a name works well for most use cases.

Okta dashboard: Create SAML Integration wizard

Step 4: Fill out SAML settings

These settings let Supabase use SAML 2.0 properly with your Okta application. Make sure you enter this information exactly as shown on in this table.

Setting	Value
Single sign-on URL	`https://alt.supabase.io/auth/v1/sso/saml/acs`
Use this for Recipient URL and Destination URL	✔️
Audience URI (SP Entity ID)	`https://alt.supabase.io/auth/v1/sso/saml/metadata`
Default `RelayState`	`https://supabase.com/dashboard`
Name ID format	`EmailAddress`
Application username	Email
Update application username on	Create and update

Okta dashboard: Create SAML Integration wizard, Configure SAML step

Step 5: Fill out attribute statements

Attribute Statements allow Supabase to get information about your Okta users on each login.

A email to user.email statement is required. Other mappings shown below are optional and configurable depending on your Okta setup. If in doubt, replicate the same config as shown. You will use this mapping later in Step 10.

Okta dashboard: Attribute Statements configuration screen

Step 6: Obtain IdP metadata URL

Supabase needs to finalize enabling single sign-on with your Okta application.

To do this scroll down to the SAML Signing Certificates section on the Sign On tab of the Supabase application. Pick the the SHA-2 row with an Active status. Click on the Actions dropdown button and then on the View IdP Metadata.

This will open up the SAML 2.0 Metadata XML file in a new tab in your browser. You will need to enter this URL later in Step 9.

The link usually has this structure: https://<okta-org>.okta.com/apps/<app-id>/sso/saml/metadata

Okta dashboard: SAML Signing Certificates, Actions button highlighted

Step 7: Enable SSO in the Dashboard

Visit the SSO tab under the Organization Settings page.
Toggle Enable Single Sign-On to begin configuration. Once enabled, the configuration form appears.

Step 8: Configure domains

Enter one or more domains associated with your users email addresses (e.g., supabase.com). These domains determine which users are eligible to sign in via SSO.

Domain configuration

If your organization uses more than one email domain - for example, supabase.com for staff and supabase.io for contractors - you can add multiple domains here. All listed domains will be authorized for SSO sign-in.

Domain configuration with multiple domains

We do not permit use of public domains like gmail.com, yahoo.com.

Step 9: Configure metadata

Enter the metadata URL you obtained from Step 6 into the Metadata URL field:

Metadata configuration with Okta

Step 10: Configure attribute mapping

Enter the SAML attributes you filled out in Step 5 into the Attribute Mapping section.

Attribute mapping configuration

If you did not customize your settings you may save some time by clicking the Okta preset.

Step 11: Join organization on signup (optional)

By default this setting is disabled, users logging in via SSO will not be added to your organization automatically.

Auto-join disabled

Toggle this on if you want SSO-authenticated users to be automatically added to your organization when they log in via SSO.

Auto-join enable

When auto-join is enabled, you can choose the default role for new users:

Auto-join role selection

Choose a role that fits the level of access you want to grant to new members.

Visit access-control documentation for details about each role.

Step 12: Save changes and test single sign-on

When you click Save changes, your new SSO configuration is applied immediately. From that moment, any user with an email address matching one of your configured domains who visits your organization's sign-in URL will be routed through the SSO flow.

We recommend asking a few users to test signing in via their Okta account. They can do this by entering their email address on the Sign in with SSO page.

If SSO sign-in doesn't work as expected, contact your Supabase support representative for assistance.

Set Up SSO with Okta

Step 1: Choose to create an app integration in the applications dashboard #

Step 2: Choose SAML 2.0 in the app integration dialog #

Step 3: Fill out general settings #

Step 4: Fill out SAML settings #

Step 5: Fill out attribute statements #

Step 6: Obtain IdP metadata URL #

Step 7: Enable SSO in the Dashboard #

Step 8: Configure domains #

Step 9: Configure metadata #

Step 10: Configure attribute mapping #

Step 11: Join organization on signup (optional) #

Step 12: Save changes and test single sign-on #

Is this helpful?