Enable SSO (Single Sign-On)
If you are an admin for your Orbit workspace, you can enable Single Sign-On so that all users have to sign in via SSO in your workspace. This step-by-step guide will walk you through an example of how to set it up with Okta as your identity provider.
Note: SSO is only available for workspaces on the Enterprise Plan.
Enable SSO in your workspace
1) Go to Settings -> Workspace Security. Under Workspace Security, you will see a section called "SAML Single Sign-On". Click the checkbox next to "Enable SAML Single Sign-On", and then click "Save SAML SSO Settings".
2) You'll now see a form with some blank fields. You will need to fill out the Sign-On URL and Public Certificate fields so that Orbit knows where to forward your teammates when they try to sign in with SSO. Keep this page open as we walk you through how to connect Orbit to your identity provider in the next section.
Connect Orbit to Okta
1) Go your Okta account and create a new app.
2) In Orbit under Workspace Security, scroll down to the section that shows Single Sign-On URL and Audience URI. You will be inserting these fields into Okta.
You can find these fields under Settings -> Workspace Security
3) In Okta, go to "Configure SAML" in your new app and fill in these fields with the info your copied from Step 2.
Your Okta configuration should look similar to the info in this image.
4) Next in Okta, scroll down to Attribute Statements (optional). We will now add email as an attribute statement. Fill in "email" for Name, "Unspecified" for Name format, and "user.email" for Value.
After you've added this, click "Save" to save your Okta app settings. Woohoo! You've completed the work on the Okta side! Continue to the next section to connect Okta to Orbit.
Connect Okta to Orbit
Next, let's get Orbit the info it needs to make this work.
1) Go to your Okta app's Sign-On page and click View Setup Instructions.
Here, you will see the values you need to copy to complete the setup on Orbit side.
3) Copy the Identity Provider Single Sign-On URL, go to Orbit -> Settings -> Workplace Security and paste it into the Sign-On URL field on the form.
4) Copy the Public X.509 Certificate, go to Orbit, and put in the Public Certificate field on the form.
5) In Orbit, click "Save" and tada! You're successfully set up SSO in your workspace.
Require SSO in your workspace
If you'd like to require all teammates use SSO to sign in to your Orbit workspace, click the checkbox next to "Require collaborators to use Single Sign-On" on the Workspace Security page.
We currently do not support SCIM. This means that if you enable SSO on your workspace:
- Users need to have an active account in your Orbit workspace in order to be able to log in with SSO.
- If you invite users to your workspace, they must accept the invitation in order to log in with SSO.
- If the email used for the Attribute Statement during the OKTA app setup is different from the one a user used to sign up for Orbit, they won't be able to log in with SSO.