Vectis
All guides

SSO with Okta

Wire your Okta tenant to Vectis so operators sign in with their corporate credentials instead of a Vectis password. Works for both OIDC (recommended) and SAML 2.0.

What you’ll need

  • Okta admin access to your org’s Okta tenant
  • Vectis admin role — this is configured from Admin → SSO
  • Your Vectis instance URL (e.g. https://your-workspace.mspvectis.com)

Option A – OIDC (recommended)

  1. In Okta, go to Applications → Applications → Create App Integration. Choose OIDC — OpenID Connect and Web Application.
  2. Under Sign-in redirect URIs, paste the OIDC redirect URI shown on the Vectis SSO page. It’ll look like https://your-workspace.mspvectis.com/api/auth/callback/sso-oidc.
  3. Assign the application to the Okta groups who should be allowed to sign in to Vectis. If your org has a single Vectis-ops group, use that; otherwise, use an Everyone assignment and rely on Vectis’s domain allowlist for the gate.
  4. After the app is created, copy the Client ID, Client Secret, and Okta domain (e.g. dev-12345.okta.com).
  5. Back in Vectis, open Admin → SSO. Pick OpenID Connect (OIDC), paste the Client ID and Client Secret, and for Issuer URL enter https://dev-12345.okta.com. Leave the endpoint overrides blank — Vectis auto-discovers them.
  6. Add the email domains that should use SSO to Allowed Email Domains, then hit Test Connection. A successful test shows the Okta discovery document; failures surface the specific error.
  7. Toggle Enable SSO, save, and open a private window to verify the IdP login round-trip before turning on enforcement.

Option B – SAML 2.0

  1. In Okta, go to Applications → Create App Integration and choose SAML 2.0.
  2. For Single sign-on URL (ACS), paste the SAML ACS URL shown on the Vectis SSO page. It’ll end in /api/auth/sso/saml/callback.
  3. For Audience URI (SP Entity ID), either use the same ACS URL or set a custom value and enter that value into Vectis’s SP Entity ID field.
  4. Under Attribute Statements, map email to user.email and displayName to user.displayName. Okta’s default email NameID format works too.
  5. After Okta shows the app’s Sign On tab, click View SAML setup instructions. Copy the Identity Provider Single Sign-On URL and X.509 Certificate.
  6. In Vectis Admin → SSO, pick SAML 2.0. Paste the Okta sign-on URL into SSO Entry Point URL and the full -----BEGIN CERTIFICATE----- block into IdP Certificate. Save — Vectis re-wraps the cert into canonical PEM and encrypts it at rest.
Always test the IdP round-trip in an incognito window before flipping Enforce SSO on. Enforcement disables password login for every user on the allowed domains — a misconfigured IdP can lock everyone out except the break-glass admin.

Troubleshooting

  • “domain not allowed” — the email coming back from Okta isn’t in the allowed-domains list. Check that the Okta attribute statement sends user.email, not user.login.
  • “signature verification failed” (SAML) — the IdP cert pasted into Vectis doesn’t match what Okta is using to sign. Re-copy the X.509 cert from Okta’s Sign On tab.
  • Clock skew — SAML assertions have tight NotBefore / NotOnOrAfter windows. If your Vectis host drifts more than 5 minutes, all SAML logins fail. NTP is the fix.

Still stuck?

Email support@mspvectis.com with the error message and we’ll unblock you.

SSO with Okta | Vectis