> ## Documentation Index
> Fetch the complete documentation index at: https://docs.gavai.io/llms.txt
> Use this file to discover all available pages before exploring further.

# SSO — Okta

> Configure SAML SSO between Okta and gavAI

This page walks the Okta-side setup. The gavAI-side counterpart is the wizard at `/console/settings/sso/new/okta`.

## Prerequisites

* Okta admin access for your org.
* Workspace admin in gavAI on a Scale or Enterprise plan.
* One or more email domains you control (you'll prove ownership via DNS TXT).

## 1. Create the SAML app in Okta

1. Okta Admin Console → **Applications → Browse App Catalog**. Search for "gavAI". If the official integration isn't visible, fall back to **Create App Integration → SAML 2.0**.
2. **App name**: `gavAI` (or `gavAI — <workspace name>` if you run multiple).
3. SAML settings:
   * **Single Sign-On URL** and **Audience URI (SP Entity ID)**: copy both from the gavAI wizard at `/console/settings/sso/new/okta`.
   * **Name ID format**: `EmailAddress`.
   * **Application username**: `Okta username`.
4. Attribute statements:
   * `email` → `user.email`
   * `firstName` → `user.firstName`
   * `lastName` → `user.lastName`
5. Save the app.

## 2. Assign users / groups

In the new app's **Assignments** tab, add the people who should be able to sign in. Group-based assignment is recommended.

## 3. Hand metadata back to gavAI

In Okta's app **Sign On** tab → **View SAML setup instructions** (or **Identity Provider metadata**), copy the metadata URL. Paste it into `/console/settings/sso/new/okta` and submit.

## 4. Verify domains

gavAI shows a TXT record to add at the DNS for each email domain you submitted. Add it; gavAI re-checks every minute until verified.

## 5. Test

Sign out, then sign in at `https://gavai.io/login` with an account in your IdP. You should be bounced to Okta, complete the IdP login, and land back in gavAI's `/console`.

If something goes wrong, look at `/console/settings/sso` for the provider's last-error field, and the tenant audit log at `/console/activity` for the failed authentication row.

## Optional: SCIM provisioning

Pair SSO with [SCIM](/integrations/scim) for automated user lifecycle.
