Setting up single sign-on (Okta)

Setting up Single Sign-On (SSO) will require you accessing some technical information from the admin settings of your Identity Provider, you will likely need the assistance of the team that manages that system to get that information.

Alongside Okta, we support the following Identity Providers, click for the relevant guide:

  • Azure AD
  • Google

1. Sharing information about your identity provider

To begin the setup of SSO for your organisation, the support team needs the following information from your Identity Provider, examples for Google are below, where the unique part of the URL will be is represented as ”xxx”

  • The SSO target URL of your identity provider (this is the URL that your identity provider is accessed at. will redirect your users here to sign in to when they try and access which will look like this in Okta:
    • example:
  • The Identity Provider Issuer (entity ID) of your identity provider, which will look like this:
    • example:
  • The certificate of your identity provider
    • This is usually downloaded within your Identity Provider Settings

2. Connecting your identity provider to the live environment

Once we have received information about your identity provider, we will inform you that your sub-domain for the live environment is accessible.

This will allow you to configure access to the live environment, by applying the following settings in your Google Admin Console:

  • The Assertion Consumer Service (ACS) URL (this is the URL where will receive the response from the identity provider):


  • The Entity ID of the live instance of


3. Mapping Attributes

The name identifier format of persistent must be used

These attribute mappings need to be setup:

SAML attribute name What it needs to map to in the identity provider First name Last name Email – For existing users, this should be the same email address that is used to login to

4. Accessing via SSO

Organisations using SSO will access via a sub-domain. This is a change to how you access at the moment.

Rather than going to, once SSO is activated you will be able to access the system at:


This ensures that we can always redirect your users to the correct identity provider when they sign in or access the system for the first time.

To note:

  • Either the assertion, response or the assertion and response must be signed
  • SHA-1 & SHA-256 algorithms are supported for the signature and digest. We recommend the use of SHA-256 as best practice
  • SSO can be initiated from the service provider or the identity provider
  • Encrypted assertions are not supported

If you have any further questions following the completion of your setup, please don’t hesitate to contact the support team at