Configuring SAML SSO in OKTA

Creating the LinearB integration in Okta

1. Go to  OKTA and open okta LinearB app
2. Go to Sign On settings and under SAML 2.0 click on “More details”

   

3. Open in another tab the LinearB app
4. Go to Company Settings>Authentication>Single-Sign-On click on Set up SSO and paste the following fields:

   

   1. Copy Sign on URL from Okta and paste into the Identity Provider Single Sign-On URL field in LinearB
   2. Copy Issuer from Okta and paste into the Provider Issuer field in LinearB
   3. Insert your Organization email domain
      1. Note that the domain must be correct. Also, generic domains (gmail.com, yahoo.com, hotmail.com) cannot be used as your organization email domain.
   4. Copy the X-509 Certificate from Okta and paste into LinearB
5. Once pasted into LinearB
   1. copy your LinearB organization ID

      

   2. Go to Sign On>Advanced Sign-on Settings and paste your LinearB organization ID

      

   3. In “Application username format” select Email
6. Once everthing is pasted into LinearB and Okta, click the Save button, and set the "SAML Authentication" toggle button to ON.

Users logging in with SSO will be prompted to enter their email when they click on the SSO button on the LinearB login page.

How can I enforce SSO?

By checking the "Team members will only be able to access LinearB using your SSO provider" checkbox, LinearB will require all users logging in to access LinearB using their email address linked to your SSO provider.

If this checkbox is unchecked, users can log in using either SSO or the other auth versions available in LinearB.

How to validate the SAML login is working

There are two steps to verify your SSO has been configured correctly.

• Browse to the user app dashboard in Okta, click on LinearB app. Expected result: Login to LinearB
• Browse to LinearB login page, click on the SSO Icon and type your username. Expected result: Login with Okta

Inviting users to LinearB with SSO enabled

Once SSO is enabled, new team members will need to be added via your IDP's LinearB integration. Users added via your IDP integration will have "Viewer" permissions by default, LinearB admins can update user permissions from the LinearB user settings page here.

Users need to log in to LinearB with the same email/domain as is used in your SSO service. Email addresses are case sensitive.

Customizing Username in OKTA

The userName attribute mapping in Okta allows the Okta administrator to define which field LinearB will use as the username for new users created through SAML SSO. In most cases, this field is user.login (e.g., ${user.login}). If the userName attribute is not mapped, LinearB will default to using the user's email as their username.

1. Go to the LinearB application in Okta.
2. Click on the General tab.
3. Under SAML Settings, click Edit.
4. Click Next.
5. Under Attribute Statements, create a field named userName and set its value to ${user.login}.
6. Click Next, then Finish to save your changes.

How to disable SSO

SSO can be disabled by sliding the SAML Authentication button into the off position.