You can set up Opal to allow or require users to login via Okta SAML SSO.

Setup

Log in to Okta as an administrator, then click Applications on the left sidebar -> Create App Integration -> SAML 2.0 -> Next. You should see the following screen, where you can fill in the following info, then click Next:
- App name: Opal
- App logo: You can use this brand asset

Log in to Opal as an administrator, then click Settings on the left sidebar -> Authentication -> SAML SSO Settings -> Setup. You should see the following screen:

Back in Okta, go to the next page. You should see the following screen, where you can fill in the following info, then click Next. Leave all other fields in their default state:
- Single sign on URL: use ACS URL from Opal
  - Leave "Use this for Recipient URL and Destination URL" checked
- Audience URI: use Entity ID from Opal
- Attribute Statements:
  - given_name -> user.firstName
  - family_name -> user.lastName
  - email -> user.email

On the next page in Okta, select I'm an Okta customer adding an internal app, then click Finish.
On new Okta app's page, click the Assignments tab and assign any users or groups who you want to grant access to Opal via Okta SAML SSO. Each user's email in Okta must match the email of their Opal account in order for the user's SAML login to succeed.

Next, click the Sign On tab -> View SAML setup instructions (the button may appear farther down the screen):

Back in Opal, enter the following information, then click Save:
- Identity Provider SAML 2.0 SSO URL: use Identity Provider Single Sign-On URL from Okta
- Identity Provider Public Certificate: download the X.509 Certificate from Okta and upload it to Opal

Your SAML SSO setup should now be complete! For more options on configuring your SAML connection, please see our guide here.

Testing login via SAML

To test SAML login to Opal, you can simply log out of your Opal account and try to log in again. The next time you log in, you should see the following screen, which lets you choose whether to log in via SAML: