Centralize your team’s access to Unblocked by connecting it to Okta.

Configure Single Sign-On

Follow the steps below to configure single sign-on for Okta.

1

Go to the Unblocked SSO Settings

Navigate to the Settings section of the Unblocked web app. Under Team Settings, select Security. Locate the Single Sign-On section and click Configure.

2

Create an Okta Application

From your Okta admin dashboard, navigate to the Applications tab. Click Create App Integration to create a new application using SAML 2.0.

Enter “Unblocked” as the app name and click Next.

3

Configure SAML Settings

Enter the following four values:

  • Single sign-on URL: provided from Unblocked
  • Audience URI (SP Entity ID): provided from Unblocked
  • Name ID format: EmailAddress
  • Application username: Email
4

Configure Attribute Statements

Enter the following two attribute statements:

NameName formatValue
firstNameBasicuser.firstName
lastNameBasicuser.lastName
5

Click Next

Click Next to proceed to the next step, then click Finish to save your changes.

6

Copy SAML metadata into Unblocked

From the Sign On tab of your Okta application, copy the following three values from your new Okta application into the Configure Okta form in Unblocked:

  • Sign on URL
  • Issuer
  • Signing Certificate
7

Assign Users

Assign users and groups to your Okta application to grant them access to Unblocked.

User and Group Provisioning

Once you’ve configured SSO, you can enable user and group provisioning to automatically manage user access to Unblocked. This feature allows you to automatically create, update, and deactivate users in Unblocked based on changes in Okta.

To configure SCIM provisioning from Okta to Unblocked, you’ll need to set up and configure SCIM provisioning in Okta.

1

Generate SCIM API Token

In the Unblocked web app, navigate to the Settings section. Under Team Settings, select Security. Locate the SCIM User and Group Provisioning section and click Configure.

Click Add Token to generate a new API token for SCIM provisioning. Copy both the new API token and the Base URL.

2

Enable SCIM Provisioning

From your Okta admin dashboard, navigate to your previously created Unblocked Application. On the General tab, click Edit and set the Provisioning toggle to SCIM. Then click Save.

3

Setup SCIM Connection

On the Provisioning tab, click Integration under settings, and then Edit.

  • Set the SCIM connector base URL to the Base URL that you copied earlier from Unblocked.
  • Set the Unique identifier field for users to email.
  • Check the following for the Supported provisioning actions:
    • Push New Users
    • Push Profile Updates
    • Push Groups
  • Set the Authentication method to HTTP Header.
  • Set the Authorization field to the API Token that you copied earlier from Unblocked.

Click Test API Credentials to verify the connection, and then click Save.

4

Configure Provisioning to Unblocked

On the Provisioning tab, click To App under settings, and then Edit.

  • Set the following Provisioning to App toggles to Enabled:
    • Create Users
    • Update User Attributes
    • Deactivate Users

Click Save.

5

Push Groups

On the Push Groups tab choose the groups you want to push to Unblocked. This completes the setup for SCIM provisioning from Okta to Unblocked.

Enforce SSO

Once SSO is configured, you can enforce its use for your team. This means all team members will be required to sign in using your SSO provider.

There are two enforcement options:

  • SSO Only: Users will be required to sign in to Unblocked using SSO. You may need to sign in with SSO before enabling this option.

  • SSO, a Source Code System, or Slack: Users can sign in using either SSO, their source code system (e.g., GitHub, Bitbucket, or GitLab), or Slack.

Allowed Email Domains

Verifying a domain ensures that users who enter an email address from that domain on the Unblocked sign-in page are automatically directed to your SSO login. This creates a seamless login experience and routes users through the correct authentication flow.

You can add multiple domains to enable SSO login detection for users with different email addresses. To verify a domain:

1

Add Domain

Click Add Domain and enter the domain name you want to verify.

2

Verify Domain

Unblocked will prompt you to add a TXT record to your DNS settings to complete the verification.

Once the domain is verified, any user who enters an email address matching that domain on the Unblocked sign-in page will see the SSO login option for your SAML provider.

Verifying a domain only controls the visibility of the SSO login option and does not automatically grant access to your Unblocked team. Access to Unblocked is still managed through user and group assignments in your identity provider (IdP).

To help your users easily recognize Unblocked in their identity provider dashboard, download the Unblocked logo for use in your SSO application.