Skip to main content

Single Sign-On (SSO)

info

SSO requires an Enterprise plan. When SSO is enabled, users in your account must authenticate through your Identity Provider (IdP).

Overview

Extract supports SAML 2.0 Single Sign-On. You configure a SAML app in your IdP, then paste the IdP values into the SSO Settings page in Extract.

Service Provider (Extract) values

Use these values in your Identity Provider when creating the SAML application:

SettingValueNotes
SP Entity ID (Audience URI)https://api.extract.to/auth/saml/metadataSometimes called Audience URI or SP Entity ID
ACS URL (Single Sign-On URL / Reply URL)https://api.extract.to/auth/saml/callbackMust be HTTPS
Name ID formaturn:oasis:names:tc:SAML:1.1:nameid-format:emailAddressNameID must be the user email

Identity Provider values to enter in Extract

From your IdP, collect the following and paste them into Settings -> SSO Settings:

  • Identity Provider Entity ID (Issuer)
  • Single Sign-On URL
  • Single Logout URL
  • X.509 Certificate (paste the certificate body without the BEGIN/END headers)

Okta configuration

These steps describe a standard SAML 2.0 app integration in Okta. For detailed guidance, see Okta's official documentation on creating a SAML app integration.

  1. In the Okta Admin Console, go to Applications -> Create App Integration.
  2. Select SAML 2.0 as the sign-in method.
  3. Configure the SAML settings with the Extract values:
    • Single sign-on URL (ACS URL): https://api.extract.to/auth/saml/callback
    • Audience URI (SP Entity ID): https://api.extract.to/auth/saml/metadata
    • Name ID format: EmailAddress
    • Application username: Email
  4. Finish the wizard and open the app's Sign On tab to view Identity Provider metadata.
  5. Copy the Issuer, SSO URL, SLO URL, and X.509 certificate from Okta and paste them into Extract.
  6. Assign the app to users or groups in Okta.
  7. Test login using the Login via SSO flow in Extract.

Okta docs:

Troubleshooting

  • Invalid login or missing user: Ensure the SAML NameID matches the user's email in Extract.
  • Certificate errors: Paste only the certificate body (no BEGIN/END headers).
  • SLO URL missing: Extract requires a Single Logout URL; ensure it's enabled in Okta and configured in the app.