Okta SSO (IdP‑Initiated)

This guide covers the IdP-initiated flow, where users begin in Okta (the IdP) and select the GroWrk icon from their Okta dashboard.

Supported Features

  • IdP-initiated SSO (through third-party initiated login)

Prerequisites

Before you begin, ensure:

  1. You have administrator access to your Okta tenant (so you can add the GroWrk SSO apps from the OIN).
  2. You have administrator access to your GroWrk dashboard, with the Integrations feature enabled. (Contact your Customer Success Manager if you do not see Integrations in your dashboard.)
  3. The email address used in Okta matches the email address of your users in GroWrk.

What is IdP‑Initiated SSO?

  • IdP‑Initiated Flow: The user logs in to Okta first. From the My Apps screen (Okta dashboard), they click the GroWrk icon. Okta sends a SAML response directly to GroWrk (no AuthnRequest from GroWrk).
  • Result: The user lands in GroWrk already authenticated.

Connect Okta to GroWrk

  1. In the Integrations tab in your GroWrk Dashboard, search for Okta SSO and select Get Started. Okta SSO

You’ll be directed to the setup page with several steps. Okta SSO

  1. Add GroWrk to Okta.
  • Login to Okta. Navigate to the Application tab.
  • Click on Browse App Catalog and search for Growrk (IdP) application.
  • Click on Add Integration.

Okta SSO

  • Set your general settings (application label, visibility, etc.) and select Next. Okta SSO
  • On the sign-on options page, you can review the SAML 2.0 configuration. You can also find your metadata URL here, which you’ll need in GroWrk. Select Done when finished. Okta SSO
  1. Back in GroWrk, add your authorized domains. Okta SSO
  2. Copy and paste the metadata URL into GroWrk.
  • In your Okta admin console, go to the GroWrk application, then Sign On. Scroll down to find the Identity Provider metadata link. Copy this link.
  • Go back to GroWrk, paste it, and select Set up. Okta SSO
  1. You’ll be notified that Okta SSO has been set up. Okta SSO
  2. Your certificate information will be displayed with the start and end dates of its validity. If you’ve changed the SAML Signing Certificate or activated a new one, enter the metadata URL and select Set up again to update it. Okta SSO

Logging in via IdP‑Initiated Flow

If you have configured GroWrk (IdP) in Okta, users can access GroWrk directly from the Okta dashboard:

  1. In the My Apps tab in Okta, select GroWrk (IdP). Okta SSO
  2. Enter the code provided by the Okta Verify app (if MFA is required) and select Verify. Okta SSO
  3. You will sign in and be navigated to the GroWrk Dashboard. Okta SSO

Troubleshooting

Common Issues

  1. Invalid SAML Response
  • Check that the metadata URL you copied from Okta is correct and that your ACS URLs and Audience match in GroWrk.
  1. User Email Mismatch
  • Ensure the user’s Okta profile email matches the email they use in GroWrk.
  1. Access Denied / Not Assigned
  • Verify the user is assigned to the GroWrk app in Okta.
  1. Okta Verify Setup
  • If a user is stuck setting up Okta Verify, confirm your MFA policies in Okta Admin.

Checking Okta Logs

If issues persist, check Okta System Logs under Reports > System Log in Okta for detailed error messages.

Contact Support

If you still have trouble, please contact GroWrk Support or your Customer Success Manager. Provide:

  • A screenshot of your Okta configuration
  • The exact error message
  • The user’s email address
  • Approximate timestamp of the failed login attempt

For further assistance or additional configuration questions, please reach out to us at support@growrk.com.

IntegrationsOkta SSO (SP‑Initiated)
IntegrationsJumpCloud SAML SSO