SSO setup — Okta (SAML 2.0)

5 min read · Updated 12 May 2026

Wire WBSync to Okta in about 10 minutes using the SAML 2.0 protocol. Copy two URLs into Okta, three values back into WBSync, click Test connection, done.

Step by step

1
Open both consoles

WBSync: Settings → Single Sign-On. Switch the Protocol to SAML 2.0 and leave "Enable SSO" off for now.

Okta: Applications → Create App Integration → SAML 2.0 → Next.

2
Paste WBSync's ACS URL into Okta

On the SAML settings page in WBSync you'll see ACS URL. Copy it into Okta's Single sign-on URL field. Tick Use this for Recipient URL and Destination URL. For Audience URI paste WBSync's ACS URL too (or the metadata URL — both work).

3
Map attributes

Add the following Attribute Statements in Okta:

  • emailuser.email
  • first_nameuser.firstName
  • last_nameuser.lastName

Set Name ID format to EmailAddress. Finish the wizard.

4
Copy Okta's three values back to WBSync

On Okta's app page, open the Sign On tab and click View SAML setup instructions. Copy:

  • Identity Provider Single Sign-On URL → IdP SSO URL in WBSync
  • Identity Provider Issuer → IdP Entity ID in WBSync
  • X.509 Certificate (the long PEM block) → IdP X.509 signing certificate in WBSync

Set Email domain to your company's email domain. Save.

5
Test, then enforce

Click Test connection. You'll be redirected to Okta, sign in, and land back on WBSync with a green SSO test successful badge. If anything failed, the badge shows the reason — usually a typo in the SSO URL or a wrong cert.

Once green, tick "Enable SSO for this organisation" and save. Your team will be redirected to Okta on their next login.

Frequently asked

Can the Owner still sign in if SSO breaks?

Yes. The Owner always retains password fallback at /accounts/login/, even with 'Require SSO for everyone except the Owner' switched on. This is the lockout escape — your IdP can go down and you still get back in to fix it.

What happens to existing users?

Their accounts are preserved. On their first SSO sign-in WBSync binds their IdP subject to the existing user row, so audit history, role and assignments carry over. If 'Require SSO for everyone except the Owner' is on (recommended), existing non-Owner users must be bound deliberately — see the JIT section.

What about new users? Do I have to invite them first?

No. JIT provisioning is on by default: the first time someone with your email domain signs in via the IdP, WBSync creates their account automatically with the role you picked on the SSO settings page (default: Foreman). You can change their role afterwards in the directory.

Is the OIDC client secret stored safely?

Yes — secrets are encrypted at rest with Fernet (AES-128-CBC + HMAC-SHA256), using the same key-rotation ceremony as our third-party clock-in integrations. The plain secret is never displayed back to you; paste a new one to rotate.

What does 'Test connection' actually do?

It runs a real round-trip with your IdP, but instead of signing you in it just records the outcome on the settings page. So you can sit in WBSync as the Owner, click the button, and watch the result land — without giving up your current session.

Related

Single Sign-On — overview
Single Sign-On · 3 min
SSO setup — Microsoft Entra (SAML)
Single Sign-On · 5 min