# Okta SSO Setup Guide ## Step 1 — Kernel Sends You the ACS URL Kernel will provide you with the ACS (Assertion Consumer Service) URL, SP Entity ID and SP Metadata. This is the endpoint Okta will send the SAML assertion to. You will need this to create the Kernel application in Okta. Action for client: Wait to receive the ACS URL from your Kernel contact before proceeding. ## Step 2 — Create the Kernel App in Okta & Share the IdP Metadata URL Once you have the ACS URL from Kernel, create a new SAML application in Okta: 1. Log in to your Okta Admin Console. 2. Go to Applications → Applications → Create App Integration. 3. Select SAML 2.0 and click Next. 4. Fill in the app name (e.g. "Kernel") and proceed. 5. In the SAML Settings, paste the ACS URL provided by Kernel in the Single sign-on URL field. 6. Complete the setup and save. 7. Navigate to the app's Sign On tab → scroll to the Metadata section. 8. Copy the Identity Provider Metadata URL. Action for client: Share the Okta IdP Metadata URL with Kernel so they can complete the configuration on their end. ## Step 3 — Configure Attribute Mappings In the Okta app, go to the Sign On tab and edit the Attribute Statements. Add the following three mappings exactly as shown — pay close attention to the attribute names, as incorrect naming (e.g. userLast instead of lastName) will cause login errors. | Name | Value | | ----------- | -------------------------------------------------------------------------------------------- | | email | user.email | | firstName | user.firstName | | lastName | user.lastName | | User IdP ID | user.email\* (\*usually it is email- please check if this is the case for your organisation) | Important: The NameID should be mapped to the user’s email address, as that is what Kernel uses for identification. Action for client: Save the attribute statements and notify Kernel once done. \ Step 4 — Configure Attribute Mappings ------------------------------------- Once Kernel confirms the configuration is complete on their end: 1. Ensure all users who will test SSO already have active accounts in the Kernel platform (users must have signed up / been provisioned in Kernel before SSO will work). 2. Have a test user attempt to log in via Okta SSO. 3. If login fails, double-check the attribute mappings in Step 3 — a common mistake is using userLast instead of lastName for the last name field. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.kernel.ai/integrations/salesforce-integration/okta-sso-setup-guide.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.