Okta SSO Setup Guide

Step 1 — Kernel Sends You the ACS URL

Kernel will provide you with the ACS (Assertion Consumer Service) URL, SP Entity ID and SP Metadata. This is the endpoint Okta will send the SAML assertion to. You will need this to create the Kernel application in Okta.

Action for client: Wait to receive the ACS URL from your Kernel contact before proceeding.

Step 2 — Create the Kernel App in Okta & Share the IdP Metadata URL

Once you have the ACS URL from Kernel, create a new SAML application in Okta:

1. Log in to your Okta Admin Console.

2. Go to Applications → Applications → Create App Integration.

3. Select SAML 2.0 and click Next.

4. Fill in the app name (e.g. "Kernel") and proceed.

5. In the SAML Settings, paste the ACS URL provided by Kernel in the Single sign-on URL field.

6. Complete the setup and save.

7. Navigate to the app's Sign On tab → scroll to the Metadata section.

8. Copy the Identity Provider Metadata URL.

Action for client: Share the Okta IdP Metadata URL with Kernel so they can complete the configuration on their end.

Step 3 — Configure Attribute Mappings

In the Okta app, go to the Sign On tab and edit the Attribute Statements. Add the following three mappings exactly as shown — pay close attention to the attribute names, as incorrect naming (e.g. userLast instead of lastName) will cause login errors.

Important: The NameID should be mapped to the user’s email address, as that is what Kernel uses for identification.

Action for client: Save the attribute statements and notify Kernel once done.

Step 4 — Configure Attribute Mappings

Once Kernel confirms the configuration is complete on their end:

1. Ensure all users who will test SSO already have active accounts in the Kernel platform (users must have signed up / been provisioned in Kernel before SSO will work).

2. Have a test user attempt to log in via Okta SSO.

3. If login fails, double-check the attribute mappings in Step 3 — a common mistake is using userLast instead of lastName for the last name field.