Overview
This guide walks you through connecting Galtea to Okta using SAML 2.0. When complete, your team can sign in to Galtea through their Okta accounts.
You will switch between the Okta Admin Console and Galtea’s Organization Settings several times. Keep both browser tabs open.
Prerequisites
- Owner role in the Galtea organization, with an active Enterprise subscription.
- Administrator role in your Okta organization.
Step 1 — Create a SAML application in Okta
- Open the Okta Admin Console.
- In the top navigation, click Applications → Applications.
- Click Create App Integration.
- Select SAML 2.0 as the sign-in method.
- Click Create.
- Enter an application name (for example,
Galtea).
- Optionally upload a logo. Click Next.
On the Configure SAML step, fill in the following fields:
| Okta field | Value |
|---|
| Single sign-on URL | https://api.galtea.ai/auth/saml/callback |
| Audience URI (SP Entity ID) | The SP Entity ID you entered in Galtea’s Organization Settings |
The SP Entity ID is a value you define. Use a unique identifier for your organization (for example my-company or my-company-prod). The exact same value must be entered in both Galtea and in the Okta Audience URI field. In Galtea, enter this value in both the SP Entity ID and Issuer fields.
Leave the Default RelayState blank.
For the Name ID format, select EmailAddress.
Step 3 — Require signed responses and assertions
- Still on the Configure SAML step, click Show Advanced Settings.
- Set Response to Signed.
- Set Assertion Signature to Signed.
- Leave all other advanced settings at their defaults.
Click Next to continue.
Step 4 — Finish the Okta setup
On the Feedback step, select I’m an Okta customer adding an internal app (or any option that fits your situation). Click Finish.
Okta creates the application and opens its settings page.
Step 5 — Copy IdP values from Okta into Galtea
- In the Okta application settings, click the Sign On tab.
- Click More details (or scroll down to the SAML 2.0 section) to expand the IdP metadata.
Copy the following values into Galtea’s Organization Settings → Advanced Options:
| Okta field | Galtea field |
|---|
| Sign on URL | Sign on URL |
For the certificate:
- Click Download certificate in the Sign On tab (choose the SHA-2 / active certificate).
- Open the downloaded
.cert file in a text editor. You will see -----BEGIN CERTIFICATE----- at the top.
- Copy the entire content and paste it into the Public Certificate field in Galtea.
Step 6 — Assign users
Before testing, assign the application to the relevant users or groups in Okta:
- Click the Assignments tab in the application.
- Click Assign → Assign to People (or Assign to Groups).
- Find and assign the users who should have access to Galtea.
- Click Done.
Step 7 — Save and test in Galtea
- In Galtea, click Save to update the organization settings.
- Ask an assigned user to sign in using the organization’s Team Slug.
Attribute mapping (optional)
Okta sends the user’s email as the SAML NameID by default and also maps standard profile attributes. Galtea reads email, first name, and last name automatically.
If your Okta profile uses custom attribute names, open the SAML Settings in the application and add attribute statements:
| Attribute name | Value |
|---|
email | user.email |
given_name | user.firstName |
family_name | user.lastName |
Troubleshooting
| Symptom | Likely cause | Fix |
|---|
| ”The ACS URL does not match” | ACS URL mismatch | Set the Single sign-on URL in Okta to exactly https://api.galtea.ai/auth/saml/callback |
| ”Invalid audience” error | SP Entity ID mismatch | Make sure Audience URI in Okta matches the SP Entity ID in Galtea |
| Signature validation fails | Wrong certificate pasted | Re-download the certificate from Okta’s Sign On tab and paste it again |
| User is not assigned | User tries to sign in but Okta blocks the request | Assign the user to the app in the Assignments tab |