Note: Only Admins on your Team can set up Single Sign-On as an authentication method.

There are two sides to setting up SSO. First, we'll go through how to set things up in Okta, then we'll complete the process on Stack Overflow for Teams.

To start, log in to your Okta account, and add a new Application. Choose "Web" as Platform and "SAML 2.0" as Sign on method.

Next, enter an App Name. We suggest Stack Overflow for Business.

When you click 'Next', we get to the real nitty gritty of setting up SSO: the SAML Settings page. 

  • Single sign on URL is the Assertion Consumer Service URL from the Auth Settings page of your Team. From your Teams account, click on Settings, then Auth Settings to get the Assertion Consumer Service URL from the box on the right sidebar:

  • Audience URI is something you can make up. The URI doesn't need to resolve to anything, but it *must* be copy-pasted into your Team auth settings. On the Team Auth Settings page (/admin/auth-settings), this will be used as the Audience Restriction.

  • Response should be Signed

  • Assertions should be Unencrypted.

  • Next is the SAML Issuer ID. Just like the Audience URI, it doesn't need to resolve to a valid route, but whatever you choose should also match the Issuer field on the Team auth settings page.

The Attribute Statements is required for Teams, and should be set up with the following values:

Click Next to submit the SAML setup details.

That's it for the setup on the Okta side. Now we'll take the information Okta gives us, to set up the second half of the integration on Stack Overflow.

Afterwards, you can get the Setup instructions from the "Sign On" tab:

Now open your Stack Overflow Team on a separate tab and go to Settings -> Auth Settings (only visible to Team admins). You'll need to fill the following fields according to what you got on Okta:

  • Single Sign-On Service Url: that's the Identity Provider Single Sign-On URL seen above

  • Single Sign-On Service Protocol Binding: do not change, leave as POST

  • Issuer and Audience Restriction: should match SAML Issuer ID and Audience URI respectively

  • Display Name Assertion: should match the name of an Attribute Statement for the user display name

  • Email Address Assertion: should match the name of an Attribute Statement for the user email

  • Leave all checkboxes unchecked

  • Identity Provider Certificates: copy and paste the certificate for your Okta setup, as shown above

This is how you should setup your Team for the settings above: