How can we help you?

SAML SSO Setup — Okta, Azure AD, and Generic Providers

Last updated May 4, 2026 · 1700 views

SAML SSO Setup — Okta, Azure AD, and Generic Providers

Velaro V20 supports SAML 2.0 single sign-on for agent and admin login. Once configured, users log in through your identity provider (IdP) and land directly in the Velaro workspace — no separate Velaro password required.

Supported Identity Providers

  • Okta
  • Microsoft Azure Active Directory / Entra ID
  • Google Workspace (via SAML app)
  • PingIdentity / PingID (see PingID SAML SSO Setup Guide for detailed steps)
  • OneLogin
  • Any SAML 2.0-compliant provider

Step 1 — Get Velaro's SP Metadata

  1. Go to Settings → Security → Single Sign-On.
  2. Copy the Assertion Consumer Service (ACS) URL and Entity ID (SP Entity ID). You will paste these into your IdP.
  3. Download the SP Metadata XML if your IdP supports metadata import.

Step 2 — Configure Your Identity Provider

Okta

  1. In the Okta admin console, go to Applications → Create App Integration → SAML 2.0.
  2. Set Single Sign On URL to the Velaro ACS URL.
  3. Set Audience URI (SP Entity ID) to the Velaro Entity ID.
  4. Under Attribute Statements, add: emailuser.email, firstNameuser.firstName, lastNameuser.lastName.
  5. Assign users or groups to the application.
  6. Download the IdP metadata XML or copy the IdP SSO URL and certificate.

Azure Active Directory / Entra ID

  1. In the Azure portal, go to Enterprise Applications → New Application → Create your own application → Non-gallery.
  2. Under Single sign-on → SAML, set the Identifier (Entity ID) and Reply URL (ACS URL) from Velaro.
  3. In Attributes & Claims, ensure emailaddress, givenname, and surname are mapped.
  4. Download the Federation Metadata XML from Azure for use in Velaro.
  5. Assign users or groups to the enterprise application.

Step 3 — Configure Velaro

  1. Back in Settings → Security → Single Sign-On, click Configure IdP.
  2. Paste or upload your IdP metadata XML. Alternatively, enter the IdP SSO URL, IdP Entity ID, and X.509 certificate manually.
  3. Map the SAML attribute names to Velaro fields (email, first name, last name are required; role is optional).
  4. Set the Default Role for new users provisioned via SSO (Agent, Supervisor, or Admin).
  5. Toggle Enforce SSO to require all users to log in through the IdP. When enforced, username/password login is disabled.
  6. Click Save & Test Connection.

Just-In-Time (JIT) Provisioning

When JIT provisioning is enabled, a new Velaro agent account is automatically created the first time a user authenticates via SSO. They receive the Default Role assigned in step 3. Existing accounts are matched by email address and updated with the latest attributes from the IdP on each login.

Troubleshooting

SymptomLikely CauseFix
Redirect loop after IdP loginACS URL mismatchVerify the ACS URL in your IdP exactly matches the one in Velaro Settings
"Invalid SAML response" errorCertificate expired or wrongRe-download and re-upload the IdP certificate in Velaro
User created with wrong roleRole attribute not mappedAdd a role attribute in the IdP and map it in Velaro SSO settings
SSO works but user can't access certain pagesPermissions issue unrelated to SSOCheck the user's Role and Team membership in Velaro Settings → Agents

Was this article helpful?