CodeSignal supports SAML 2.0 Single Sign-On (SSO). This guide walks an Okta administrator through adding the CodeSignal application from the Okta Integration Network (OIN) catalog and connecting it to a CodeSignal organization.
Prerequisites
Before you begin, make sure you have:
- An Okta tenant with administrator access.
- A CodeSignal organization on a plan that includes SSO. If SSO is not enabled for your organization, contact support@codesignal.com.
- An administrator role in your CodeSignal organization.
Supported features
The Okta CodeSignal application supports the following SAML 2.0 features:
- IdP-initiated SSO (recommended) — users sign in by clicking the CodeSignal tile on their Okta dashboard.
- SP-initiated SSO — users sign in from the CodeSignal login page using the Enterprise SSO button.
- Just-in-Time (JIT) user provisioning (optional) — new CodeSignal accounts are created automatically on first SSO login. The role applied to JIT-created users is configurable in CodeSignal.
For more information on the listed features, see the Okta glossary in the Okta Help Center (help.okta.com).
Configuration steps
Step 1: Add the CodeSignal app from the OIN catalog
- In the Okta Admin Console, go to Applications › Applications.
- Click Browse App Catalog.
- Search for CodeSignal, then click the result.
- Click Add Integration.
- On the General Settings tab, optionally edit the Application label, then click Next.
- On the Sign-On Options tab, leave the default SAML settings in place and click Done.
Step 2: Copy the SAML metadata from Okta
- Open the newly added CodeSignal application in Okta.
- Go to the Sign On tab.
- Click on more details (or expand SAML Signing Certificates › Actions › View IdP metadata).
- Copy the following three values — you will paste them into CodeSignal in the next step:
- Identity Provider Single Sign-On URL
- Identity Provider Issuer
- X.509 Certificate
Step 3: Configure CodeSignal with the Okta metadata
- Sign in to CodeSignal as an organization administrator.
- Go to Organization Settings.
- In the Single Sign-On card, enable SSO and fill in the fields:
- Identity provider SSO login URL — paste the Identity Provider Single Sign-On URL from Step 2.
- Identity provider issuer — paste the Identity Provider Issuer from Step 2.
- X.509 certificate — paste the certificate from Step 2 (including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines).
- (Optional) Enable JIT (Just-in-Time) provisioning and select a default role. With JIT enabled, CodeSignal creates accounts automatically the first time a user signs in via Okta. Without JIT, users must already exist in CodeSignal (manually invited or provisioned via SCIM).
- Note that you need to have “Owned email domains” configured for your account for the functionality to work. Reach out to the support team to set them up.
- (Optional) Enable Restrict password authentication to require all users in the organization to sign in via SSO. Make sure every user can sign in through Okta before enabling this option.
- Click Save.
Step 4: Provide the CodeSignal Service Provider values to Okta (if requested)
The CodeSignal OIN application is pre-configured with the correct Service Provider values, so you do not normally need to set them by hand. For reference, the values are:
| Setting | Value |
|---|---|
| Single Sign-On URL (ACS URL) | https://identity.codesignal.com/auth/sso/saml/authenticate |
| Audience URI (SP Entity ID) | https://identity.codesignal.com |
| Name ID format | EmailAddress |
| Application username |
Step 5: Assign users and test sign-in
- In Okta, open the CodeSignal application and go to Assignments.
- Assign the users or groups who should have access to CodeSignal.
- Have one of the assigned users sign in to verify the integration:
- IdP-initiated: click the CodeSignal tile on the Okta dashboard.
- SP-initiated: go to https://identity.codesignal.com/auth/login and click "Continue with Single Sign-On."
- Enter your work email.
SAML assertion attributes
CodeSignal reads the SAML NameID as the user’s email address and uses it to look up or provision the account. By default, CodeSignal also reads the following optional attribute statements from the SAML response:
| Attribute name | Used for |
|---|---|
| User email (falls back to NameID if not provided) | |
| firstName | User’s first name (used on account creation via JIT) |
| lastName | User’s last name (used on account creation via JIT) |
The attribute names above are the CodeSignal defaults. If your Okta tenant uses different attribute names, contact support@codesignal.com to align the mapping.
Notes
- IdP-initiated flow is recommended. When configuring SSO, make sure you use the URL for the IdP-initiated flow and not the URL for the SP-initiated (CodeSignal-initiated) flow.
- NameID must equal the user’s email. CodeSignal matches users by email, so the SAML NameID must contain a valid email address that matches the user’s CodeSignal account (or one that JIT will create).
- SSO and SCIM are independent. You can use SAML SSO on its own (with or without JIT), or pair it with SCIM provisioning. See the SCIM section of this document for automated user and group provisioning.
Troubleshoot
| Symptom | Resolution |
|---|---|
| “SAML response invalid” error on sign-in | Re-copy the X.509 certificate from Okta into CodeSignal, including the BEGIN/END CERTIFICATE lines. Check that the Okta and CodeSignal server clocks are in sync (SAML assertions are time-bound). |
| “Identity Provider not configured for organization” | The Identity provider issuer value in CodeSignal does not match the Issuer in Okta’s SAML response. Copy the Issuer from Okta’s “View SAML setup instructions” page and paste it into CodeSignal exactly. |
| “User not resolved” after a successful SAML response | The signed-in user does not have a matching account in CodeSignal. Either enable JIT provisioning in the CodeSignal SSO settings, or invite the user manually (or via SCIM) before they sign in. |
| Sign-in succeeds in Okta but the user lands on the CodeSignal login page | The CodeSignal SSO settings may be saved but disabled, or the Restrict password authentication option is bouncing the user. Open the CodeSignal Single Sign-On settings and verify SSO is enabled. |
Support contact
If you encounter issues that are not covered above, contact CodeSignal support at support@codesignal.com.