Skip to main content
This page walks the Okta-side setup. The gavAI-side counterpart is the wizard at /console/settings/sso/new/okta.

Prerequisites

  • Okta admin access for your org.
  • Workspace admin in gavAI on a Scale or Enterprise plan.
  • One or more email domains you control (you’ll prove ownership via DNS TXT).

1. Create the SAML app in Okta

  1. Okta Admin Console → Applications → Browse App Catalog. Search for “gavAI”. If the official integration isn’t visible, fall back to Create App Integration → SAML 2.0.
  2. App name: gavAI (or gavAI — <workspace name> if you run multiple).
  3. SAML settings:
    • Single Sign-On URL and Audience URI (SP Entity ID): copy both from the gavAI wizard at /console/settings/sso/new/okta.
    • Name ID format: EmailAddress.
    • Application username: Okta username.
  4. Attribute statements:
    • emailuser.email
    • firstNameuser.firstName
    • lastNameuser.lastName
  5. Save the app.

2. Assign users / groups

In the new app’s Assignments tab, add the people who should be able to sign in. Group-based assignment is recommended.

3. Hand metadata back to gavAI

In Okta’s app Sign On tab → View SAML setup instructions (or Identity Provider metadata), copy the metadata URL. Paste it into /console/settings/sso/new/okta and submit.

4. Verify domains

gavAI shows a TXT record to add at the DNS for each email domain you submitted. Add it; gavAI re-checks every minute until verified.

5. Test

Sign out, then sign in at https://gavai.io/login with an account in your IdP. You should be bounced to Okta, complete the IdP login, and land back in gavAI’s /console. If something goes wrong, look at /console/settings/sso for the provider’s last-error field, and the tenant audit log at /console/activity for the failed authentication row.

Optional: SCIM provisioning

Pair SSO with SCIM for automated user lifecycle.