Skip to main content

Enabling Okta SSO for Swif Login (OIDC + SAML + SCIM)

Updated over a week ago

Overview

Okta SSO (Single Sign-On) enables seamless and secure access to Swif by integrating with Okta as the identity provider. This article provides steps for Swif customers to register an app on Okta and provide the necessary details to enable SSO on Swif's login page.

Swif supports two approaches for integrating Okta SSO for user login:

  1. OIDC (OpenID Connect) – the current standard method for login.

  2. SAML – SSO via SAML.

    1. IDP-initiated login

  3. SCIM – a new method enabling SCIM provisioning and deprovisioning.

Steps to Create an App on Okta (OIDC)

1. Log in to Okta

  • Go to your Okta administrator account and log in.

2. Navigate to Applications

  • In the Okta dashboard, click on Applications.

  • Select Create App Integration.

3. Choose Integration Type

  • Select OIDC - Open ID Connect as the sign-on method.

  • Choose Web Application.

4. Configure the Redirect URI

  • In the configuration settings, set the Redirect URI to:

    https://auth.swif.ai/login/callback

5. Retrieve Client Credentials

  • Once the app is created, note down the following details:

    • Client ID

    • Client Secret

    • Domain (your Okta organization URL, e.g., dev-xxxxx.okta.com).

6. Providing Information to Swif

After completing the above steps, set the Client ID, Client Secret, and Domain to Swif’s Settings > Security.

Steps to Create an App on Okta (SAML)

1. Create App Integration

In Okta, go to the Applications page, click Create App Integration, and select SAML 2.0.

Enter a name for the app.

Important: Use the connection name that Swif's team provides to you in the following fields. If you don't have it, message support@swif.ai.

  • Single Sign-On URL:

    https://auth.swif.ai/login/callback?connection={{CONNECTION_NAME}}

  • Audience URI (SP Entity ID):

    urn:auth0:swifteam:{CONNECTION_NAME}

Click Next, then Finish.

Go to the Sign On tab and click View SAML setup instructions.

2. Download the certificate file

Copy the Identity Provider Single Sign-On URL and download the certificate file.

3. Upload URL and certificate to Swif.ai

Send both the URL and certificate file to Swif at Settings > Security.


Enable IdP-initiated login

For the SAML connection, we can enable IdP-initiated login for you so you can directly log in from the Okta console. Let us know, and we will enable it.


OpenID Connect (OIDC) does not support the concept of an IdP-initiated flow. Swif's application correctly implements the OIDC/OAuth2 protocol and will reject an unrequested authentication response.

How to Enable Automatic Provisioning & Deprovisioning with Okta SCIM

1. Retrieve SCIM Endpoint URL and Token

  • You will need Swif's team provided SCIM Endpoint URL and Token. If you don't have it, message support@swif.ai.

2. Configure SCIM in Okta

  • In Okta, go to Applications > [Your Swif OIDC or SAML App] > General, enable the SCIM provision and save.

  • Go to Provisioning > Integration, enter the SCIM connector base URL and token from Auth0.

  • Ensure all required scopes are granted for the SCIM token.

  • Before saving, you can run Test Connector Configuration to test it out.

3. Configure provision scopes

  • Go to Applications > [Your Swif OIDC or SAML App] > Provisioning > To App.

  • Enable Create Users, Update User Attributes, and Deactivate users. Choose Save.

  • Under the Attribute Mappings section, use the X button to delete the following lines, which are not needed and may cause issues during PUT operations:

Attribute

Value

Primary email type

(user.email != null && user.email != ”) ? ‘work’ : ‘‘

Primary phone type

(user.primaryPhone != null && user.primaryPhone != ”) ? ‘work’ : ‘‘

Address type

(user.streetAddress != null && user.streetAddress != ”) ? ‘work’ : ‘’

4. Verification Steps

  • You can now test user provisioning in the Assignments tab and test update operations by editing the user attributes in the Directory > People section of your Okta admin portal.

  • Assign the user to the Swif OIDC connect app.

  • The user should be automatically created as a Swif team admin.

  • Test both provisioning (adding users) and deprovisioning (removing users from the app).

4. Troubleshooting & Best Practices

  • Always test provisioning from the Assignments tab in Okta, not just Okta Directory > People.

  • If users are not appearing as the Swif team admin, double-check the SCIM URL, token, and attribute mappings.

  • For Okta-specific issues, open a support case with Okta.

Need Help?

If you encounter any issues during this process, please reach out to our support team for assistance. We're here to ensure a smooth and secure setup!

Related Articles
Enabling Azure SSO for Swif's Login
Enabling Google Workspace SSO for Swif's Login
Connecting Swif with Okta for HRIS Integration
Enforcing Okta SSO at macOS Login
Apple Platform SSO Policy
Did this answer your question?