> ## Documentation Index
> Fetch the complete documentation index at: https://docs.coderabbit.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Okta SAML setup

> Configure SAML-based single sign-on between Okta and CodeRabbit for your Enterprise organization.

export const EnterprisePlanBadge = ({tip = "This feature is available exclusively as part of the Enterprise plan. Please refer to our pricing page for more information about our plans and features.", title = "Enterprise Plan", cta = "Read more", href = "https://coderabbit.ai/pricing", disabled = false}) => {
  return <Tooltip tip={tip} cta={cta} href={href}>
        <Badge icon="building-2" disabled={disabled || undefined}>
            {title}
        </Badge>
    </Tooltip>;
};

export const AdminRoleBadge = ({tip = "This feature requires an organization owner, an admin role or the corresponding permission. Regular Members do not have access.", title = "Admin Only", cta = "View roles", href = "/management/roles", disabled = false}) => {
  return <Tooltip tip={tip} cta={cta} href={href}>
        <Badge icon="lock" color="orange" disabled={disabled || undefined}>
            {title}
        </Badge>
    </Tooltip>;
};

<EnterprisePlanBadge />

<AdminRoleBadge tip="This page requires an admin role. Members do not have access to Enterprise SSO settings." />

Use this guide to configure Okta as the identity provider for CodeRabbit. The current setup is support-assisted: you create the Okta SAML application, collect the required metadata, and then send the final values to CodeRabbit for enablement.

## Before you start

Make sure you have:

* Access to the **Okta Admin Console**
* The email domain that should authenticate through CodeRabbit
* A way to reach your account team to request CodeRabbit's service provider values and submit your final metadata

## What CodeRabbit provides

Before you configure the Okta app, reach out to your account team to request these values:

* **Single sign-on URL (ACS URL)**
* **Audience URI (SP Entity ID)**

Okta requires both values to create the SAML integration.

## What CodeRabbit needs from you

After you create the Okta app, send these four items to CodeRabbit:

* **Email domain**: for example, `yourcompany.com`
* **Sign-on URL**: the IdP Single Sign-On URL from Okta metadata
* **Issuer**: the IdP issuer or entity ID from Okta metadata
* **Signing certificate**: an X.509 certificate file in `.pem` or `.cer` format

## Set up the Okta app

<Steps>
  <Step title="Create the Okta app integration">
    Sign in to your Okta Admin Console, then go to **Applications** -> **Applications** and click **Create App Integration**.

    In the **Create a new app integration** dialog, select **SAML 2.0** and click **Next**.

    <Frame caption="Select SAML 2.0 when creating the Okta app integration">
      <img src="https://mintcdn.com/coderabbit/3I7hsTVrvxk4DUOE/assets/images/okta-create-app-integration-saml.png?fit=max&auto=format&n=3I7hsTVrvxk4DUOE&q=85&s=66558a16082c1746deffb4ef7e13c0d6" alt="Okta Create a new app integration dialog with SAML 2.0 selected" width="1864" height="1086" data-path="assets/images/okta-create-app-integration-saml.png" />
    </Frame>

    On the **General Settings** screen, enter a clear app name such as `CodeRabbit`, optionally upload a logo, and continue to the SAML configuration screen.
  </Step>

  <Step title="Fill in the SAML configuration">
    In the SAML settings screen, use the following values:

    | Field                       | Value                  |
    | --------------------------- | ---------------------- |
    | Single sign-on URL          | Provided by CodeRabbit |
    | Audience URI (SP Entity ID) | Provided by CodeRabbit |
    | Default RelayState          | Leave blank            |
    | Name ID format              | EmailAddress           |
    | Application username        | Email                  |

    No attribute statements are required. Leave the **Attribute Statements** and **Group Attribute Statements** sections empty.

    Click **Next** and complete the wizard to create the application.
  </Step>

  <Step title="Retrieve your Okta SAML metadata">
    After the app is created, open **Applications** -> **Applications** -> **your CodeRabbit app** -> **Sign On**.

    Scroll to **SAML Signing Certificates**, find the certificate marked **Active**, and open **Actions** -> **View IdP metadata**. This opens the XML metadata page that contains the values CodeRabbit needs.

    <Frame caption="Use the active signing certificate actions menu to view IdP metadata or download the certificate">
      <img src="https://mintcdn.com/coderabbit/3I7hsTVrvxk4DUOE/assets/images/okta-saml-signing-certificates-actions.png?fit=max&auto=format&n=3I7hsTVrvxk4DUOE&q=85&s=84a0712fadb643fc4395e839dbb4b4ac" alt="Okta SAML Signing Certificates section with the Actions menu open for the active certificate" width="1656" height="642" data-path="assets/images/okta-saml-signing-certificates-actions.png" />
    </Frame>

    Collect the following values from the metadata XML:

    * **Sign-on URL**: copy the `Location` attribute from the `md:SingleSignOnService` element
    * **Issuer**: copy the `entityID` attribute from the `md:EntityDescriptor` element
    * **Signing certificate**: copy the `ds:X509Certificate` value

    Save the certificate in `.pem` format:

    ```pem theme={null}
    -----BEGIN CERTIFICATE-----
    PASTE_CERTIFICATE_CONTENT_HERE
    -----END CERTIFICATE-----
    ```

    If you prefer, you can also download the certificate directly from the **Sign On** tab using **Actions** -> **Download certificate**.
  </Step>

  <Step title="Assign people or groups">
    Open the **Assignments** tab for the app, click **Assign**, and assign the people or groups that should be allowed to sign in to CodeRabbit.

    Users cannot authenticate through Okta until they are assigned to the application.
  </Step>

  <Step title="Send the configuration to CodeRabbit and validate access">
    Send the following items to your account team:

    * Your organization's email domain
    * The Okta Sign-on URL
    * The Okta issuer
    * The signing certificate file

    After CodeRabbit confirms the configuration is enabled, test the sign-in flow with an assigned user account. Assigned users are added to your CodeRabbit organization automatically on first SSO login.
  </Step>
</Steps>

## What's next

<CardGroup cols={1}>
  <Card title="Enterprise SSO overview" href="/management/sso" icon="key" horizontal>
    Return to the SSO overview to see the shared rollout flow and future provider coverage.
  </Card>

  <Card title="Roles and permissions" href="/management/roles" icon="shield-check" horizontal>
    Pair SSO with the right access controls by reviewing how roles work in your CodeRabbit organization.
  </Card>

  <Card title="Support" href="/support" icon="message-circle" horizontal>
    Reach out if you need the CodeRabbit service provider values or help troubleshooting the Okta setup.
  </Card>
</CardGroup>