Skip to main content
This guide walks through configuring SSO between your Okta Workforce Identity tenant and Root using SAML 2.0. The process has two parts: configuration you complete in Okta, and configuration Root’s support team completes on the Auth0 side.

Prerequisites

  • Admin access to your Okta organization
  • A Root support contact to complete the Auth0 side of setup — contact Root if you don’t have one
  • A CONNECTION_NAME agreed upon with Root (see Step 1)
  • Group names should be root-io-admins, root-io-members and root-io-readonlys. if they need to change, contact Root support.

Step 1: Define a Connection Name

Choose a CONNECTION_NAME that will be used in both Okta and Auth0 to identify this integration.
Once set in Auth0, the connection name cannot be changed. Agree on the name with your Root support contact before proceeding.
Format requirements:
  • All lowercase
  • No spaces
  • No special characters
Example: acme-okta-saml

Step 2: Configure Okta

2.1 Create a SAML 2.0 App Integration

  1. In your Okta Admin Console, go to Applications > Applications
  2. Click Create App Integration
  3. Select SAML 2.0 and click Next
  4. In General Settings, enter an app name (e.g., Root SAML 2.0) and click Next

2.2 Configure SAML Settings

In the Configure SAML tab, enter the following:
FieldValue
Single sign-on URLhttps://login.root.io/login/callback?connection=CONNECTION_NAME
Audience URI (SP Entity ID)urn:auth0:slimdotai:CONNECTION_NAME
Replace CONNECTION_NAME with your chosen value from Step 1. For example, using acme-okta-saml:
FieldExample value
Single sign-on URLhttps://login.root.io/login/callback?connection=acme-okta-saml
Audience URIurn:auth0:slimdotai:acme-okta-saml
Scroll down and click Next, then Finish on the Feedback tab.

2.3 Collect IdP Values for Root

In the Sign On tab:
  1. Click View SAML setup instructions
  2. Copy the Identity Provider Single Sign-On URL
  3. Click Download Certificate to get the X.509 certificate file (okta.cert)
If the certificate download does not trigger, open the link in a new browser tab.
Send both the IdP SSO URL and the certificate file to your Root support contact. The SAML setup instructions page displays three values:
#FieldExample
1Identity Provider Single Sign-On URLhttps://your-org.okta.com/app/your-app/exk.../sso/saml
2Identity Provider Issuerhttp://www.okta.com/exk...
3X.509 CertificatePEM-encoded certificate block (-----BEGIN CERTIFICATE----------END CERTIFICATE-----)
Copy the Single Sign-On URL (item 1) and click Download certificate at the bottom of the page to save the X.509 certificate file.

2.4 Add Attribute Statements

Still in the Sign On tab:
  1. In the Attribute statements panel, click Show legacy configuration
  2. Click Edit under Profile attribute statements
  3. Add the following three rows:
NameName formatValue
firstNameUnspecifieduser.firstName
lastNameUnspecifieduser.lastName
emailUnspecifieduser.email
  1. Under Group attribute statements, have a single row and enter the following:
NameName formatFilter(filter value)
groupsUnspecifiedMatches regex.*
  1. Click Save

2.5 Assign Groups

  1. Go to Directory > Groups
  2. Click Add group and add 3 groups
    • root-io-admins
    • root-io-members
    • root-io-readonlys
  3. For each group, assign the appropriate people
  4. Go to the Applications > Application > [app] tab for your app
  5. Click Assign > Assign to groups
  6. Assign the 3 groups and click Save, then Done
the connection will work without groups, but without them set up correctly, all users will be in read only mode.

Step 3: Hand Off to Root

Once Okta is configured, provide the following to your Root support contact:
ItemWhere to find it
Connection name (CONNECTION_NAME)Agreed in Step 1
Identity Provider Single Sign-On URLOkta Sign On tab
X.509 certificate file (okta.cert)Okta Sign On tab > Download
The names of the created groupsOkta groups
Root will complete the Auth0 configuration and confirm when the connection is ready to test.

Step 4: Verify the Integration

Once Root confirms setup is complete:
  1. Log in to the Root platform at app.root.io using your Okta credentials
  2. Confirm successful authentication and that your user profile (name, email) appears correctly

Troubleshooting

SymptomLikely causeResolution
Invalid audience or SAML assertion audience mismatchAudience URI in Okta doesn’t match the Auth0 connection nameVerify the Audience URI is exactly urn:auth0:slimdotai:CONNECTION_NAME with your correct connection name
Invalid certificate or signature validation failureCertificate format mismatch or wrong cert uploadedRe-download the X.509 certificate from Okta in PEM format and resend to Root
Login redirects back to Okta without errorClock skew between Okta and Auth0Confirm your Okta org’s system clock is accurate; SAML assertions expire after a few minutes
User authenticates but profile fields are emptyMissing attribute statementsVerify the three attribute statements (firstName, lastName, email) are configured per Step 2.4
If you encounter other issues, contact Root support with any error messages or screenshots.