# Set up SAML SSO with Okta Source: https://developer.nylas.com/docs/dev-guide/dashboard-saml-sso/okta/ > **Info:** > **This is for Dashboard organization login.** If you want to let your app's end users authenticate with an external IdP, see [Nylas Connect external IdP](/docs/v3/auth/nylas-connect/use-external-idp/) instead. > **Info:** > **Where to find SAML settings:** In the [Nylas Dashboard](https://dashboard-v3.nylas.com), click your organization name in the top-left, then go to **Settings** in the sidebar. Select the **SAML SSO** tab (direct link: [dashboard-v3.nylas.com/organization/settings/identity](https://dashboard-v3.nylas.com/organization/settings/identity)). > > You must have **Admin** or **Owner** access to see this tab. This guide walks through creating an Okta SAML 2.0 app and connecting it to your Nylas organization. Complete [domain verification and the Custom SAML step](/docs/dev-guide/dashboard-saml-sso/connect-idp/) before following these instructions. You need an [Okta Developer account](https://developer.okta.com/) (free) or an existing Okta org. ## Service provider values To find these values, go to **Settings > SAML SSO** in the [Nylas Dashboard](https://dashboard-v3.nylas.com/organization/settings/identity), then expand the **Connect your identity provider** step. The SP values appear under **Service provider details for your IdP**. | Nylas SP value | Where to paste it in your IdP | |---|---| | **Metadata URL** | Import metadata URL (if your IdP supports it; this imports SP Entity ID and ACS URL automatically) | | **SP Entity ID** | Audience URI, Audience Restriction, or Identifier (Entity ID) | | **ACS URL** | Single sign-on URL, Reply URL, or Assertion Consumer Service URL | > **Info:** > **Use the metadata URL when your IdP supports it.** It imports both the Entity ID and ACS URL in one step, and Nylas keeps it current if values change. ## Create the Okta SAML app 1. In the Okta Admin Console, go to **Applications > Applications** and click **Create App Integration**. 2. Choose **SAML 2.0** and click **Next**. 3. On the **General Settings** tab, enter an app name (for example, `Nylas Dashboard`) and click **Next**. 4. On the **Configure SAML** tab, fill in the SP values from your Nylas Dashboard (**Connect your identity provider** step): - **Single sign-on URL**: paste the **ACS URL**. - **Audience URI (SP Entity ID)**: paste the **SP Entity ID**. - Leave **Default RelayState** empty. - Set **Name ID format** to `EmailAddress`. - Set **Application username** to `Email`. 5. Under **Attribute Statements**, add the following: | Name | Name format | Value | |---|---|---| | `email` | Unspecified | `user.email` | 6. If you plan to use [group-to-role mapping](/docs/dev-guide/dashboard-saml-sso/), add a **Group Attribute Statement**: | Name | Name format | Filter | |---|---|---| | `groups` | Unspecified | Matches regex `.*` (or a more specific filter for the groups you want to send) | 7. Click **Next**, select **I'm an Okta customer adding an internal app**, and click **Finish**. ## Get Okta metadata and complete setup in Nylas 1. On the app's **Sign On** tab, click **View SAML setup instructions**. 2. Copy the **IDP metadata** XML shown at the bottom of the page (or note the **Identity Provider metadata** URL). 3. Back in the Nylas Dashboard (**Connect your identity provider** step), paste the metadata XML into the **IdP Metadata XML** field or click **Upload XML file**, then click **Save configuration**. The **Connected IdP** card confirms the saved SSO URL and entity ID. ## Assign users to the Okta app SAML login only works for Okta users who are assigned to the app. 1. In the Okta Admin Console, go to the app's **Assignments** tab. 2. Click **Assign** and choose **Assign to People** or **Assign to Groups**. 3. Select the users or groups you want to grant Dashboard access to and click **Done**. ## Test Okta login 1. Open a private browser window. 2. Go to the Nylas Dashboard login page. 3. Enter an email on your verified domain and click **Continue**. 4. You should be redirected to the Okta sign-in page. 5. Sign in and confirm you land in the Dashboard. If login fails, see [Troubleshooting](/docs/dev-guide/dashboard-saml-sso/troubleshooting/). ## What's next - [Manage user access](/docs/dev-guide/dashboard-saml-sso/): Configure JIT provisioning and group-to-role mapping. - [Require SAML sign-in](/docs/dev-guide/dashboard-saml-sso/): Enforce SSO once login is confirmed. - [Custom SAML](/docs/dev-guide/dashboard-saml-sso/connect-idp/): Reference for SP field definitions.