Skip to content
  • platform
  • org
  • sso

Single Sign-On (SSO)

JustAI supports SAML 2.0 SSO and can usually be configured in a 30-minute call. Use the steps below or reference the Okta SAML guide from Clerk.

What To Expect In The 30-Minute Call

Section titled “What To Expect In The 30-Minute Call”

We will:

  • Confirm the domains you want SSO to cover.
  • Share JustAI service provider (SP) details.
  • Walk through the IdP app configuration.
  • Test sign-in with a pilot user.

What We Need From You

Section titled “What We Need From You”

Please share the IdP metadata URL or metadata file after your app is created.

If possible, share a pilot user email to validate the flow.

What JustAI Will Provide

Section titled “What JustAI Will Provide”

We will send you the two values required in Okta and Google Workspace:

  • Single sign-on URL.
  • Audience URI (SP Entity ID).

Okta SAML Setup Steps

Section titled “Okta SAML Setup Steps”

Step 1: Create A New Enterprise App In Okta

Section titled “Step 1: Create A New Enterprise App In Okta”
  1. Sign in to Okta and select Admin.
  2. Open Applications and select Applications.
  3. Select Create App Integration.
  4. Choose SAML 2.0 and select Next.
  5. Complete the General Settings fields and set an App name to JustAI.
  6. Download the JustAI logo and upload it as the app logo: Download the JustAI logo.
  7. Select Next to open Configure SAML.
  8. Paste the JustAI Single sign-on URL and Audience URI (SP Entity ID) values into their fields.

Step 2: Verify Attributes And Claims

Section titled “Step 2: Verify Attributes And Claims”

We expect your SAML responses to include these attributes:

  • Email address (required).
    • SAML attribute name: mail.
  • First name (optional).
    • SAML attribute name: firstName.
  • Last name (optional).
    • SAML attribute name: lastName.

In Okta, Name is the SAML attribute name and Value is an Okta expression (for example, user.email).

To confirm the mappings in Okta:

  1. In Attribute Statements (optional), set Name to mail and Value to user.email.
  2. Select Add Another.
  3. Set Name to firstName and Value to user.firstName.
  4. Select Add Another.
  5. Set Name to lastName and Value to user.lastName.
  6. Select Next.
  7. Complete the Feedback page and select Finish.

Step 3: Assign Users Or Groups

Section titled “Step 3: Assign Users Or Groups”
  1. In the app, open the Assignments tab.
  2. Select Assign and choose Assign to people or Assign to groups.
  3. Search for the user or group, then select Assign.
  4. Select Done to complete the assignment.

Step 4: Share The Metadata URL

Section titled “Step 4: Share The Metadata URL”
  1. Open the app Sign On tab.
  2. Under Sign on methods, copy the Metadata URL.
  3. Share the metadata URL with JustAI so we can enable SSO and test.

Google Workspace SAML Setup Steps

Section titled “Google Workspace SAML Setup Steps”

Step 1: Create A Custom SAML App In Google Workspace

Section titled “Step 1: Create A Custom SAML App In Google Workspace”
  1. Sign in to the Google Admin Console.
  2. In the navigation, select Apps and then Web and mobile apps.
  3. Select Add app, then choose Add custom SAML app.
  4. Enter an App name (for example, JustAI) and select Continue.

Step 2: Configure Google As The Identity Provider

Section titled “Step 2: Configure Google As The Identity Provider”

Use metadata configuration:

  1. In Option 1: Download IdP Metadata, select Download Metadata.
  2. Share the downloaded metadata file with JustAI.

Step 3: Configure JustAI As The Service Provider

Section titled “Step 3: Configure JustAI As The Service Provider”
  1. In the Google Admin Console, paste the ACS URL and Entity ID values provided by JustAI.
  2. Under Name ID, set the Name ID format to Email.
  3. Select Continue.

Step 4: Map Google Claims To JustAI Attributes

Section titled “Step 4: Map Google Claims To JustAI Attributes”

JustAI expects the following attributes:

JustAI attributeGoogle claim
mailBasic Information > Primary email
firstNameBasic Information > First name
lastNameBasic Information > Last name

The only required Google claim is Primary email.

  1. Under Attributes, select Add mapping.
  2. Choose Primary email under Google Directory attributes.
  3. Enter mail in App attributes.
  4. Add optional mappings for firstName and lastName if you want to pass profile data.
  5. Select Finish.

Step 5: Enable The App For Users

Section titled “Step 5: Enable The App For Users”
  1. In User access, select OFF for everyone to open Service status.
  2. Select ON for everyone (or limit access to pilot users first).
  3. Select Save.

FAQs

Section titled “FAQs”

Do you support Just-In-Time (JIT) provisioning?

Yes. JustAI can create users on first SSO login and assign a default role you approve.

Do you support SCIM?

SCIM is not required for SSO. If you need automated deprovisioning or group sync, tell us and we will review options.

Can we enforce SSO for all users?

Yes. We typically enable enforcement after the pilot user confirms a successful login.

Can we use another IdP besides Okta?

Yes. Any SAML 2.0 provider that can send the required attributes works.