Single Sign On With Okta

Note: If you don't have access to the Single Sign On configuration screen, please reach out to our support team.

Currently, our Okta integration is a one-way integration. Users whose accounts are auto-provisioned with Okta are set to the member role.

To enable SSO with Okta:

As an Okta super admin, first go to the Applications tab to view all applications. Then:

  1. Click Browse App Catalog
  2. Search for the FireHydrant app, click into it, and click Add Integration
  3. Name your app (recommendation: FireHydrant) and hit Next. This will drop you onto the Assignments page.
  4. Click into Sign On and go to View SAML setup instructions
  5. As a FireHydrant Owner, navigate to FireHydrant and click into Organizations (Settings in the new beta UI) > Single Sign On.
  6. Enter the IdP Login URL, IdP Issuer, and IdP X509 Certificate from step 4 into FireHydrant. Optionally add a domain for SP-initiated logins.
  7. Enable SSO and save your configuration. This completes the setup for SAML 2.0 SSO.


Domains are the email domains you use to send and receive messages. For example, if your email is , add to your domains list. When a user visits the FireHydrant login page (instead of using Okta to log in) and types in their email address, a prompt will direct them to log in with Okta instead.

Just-in-time provisioning

When a user is authenticated with Okta, they are automatically added to the organization with a member role if they do not have an account. Otherwise, accounts are matched on the email provided by Okta on a successful login. When a user is removed from Okta, they are not automatically removed from FireHydrant.


To test, leave your session in FireHydrant open, visit Okta in a new window or tab, and attempt to log in with your newly configured integration. Leaving your FireHydrant session open should prevent you from getting locked out of your account during setup. If you do encounter a lockout, submit a ticket on our contact form for help.

Last updated on 2/9/2024