Skip to main content

Overview

StackOne supports SAML 2.0-based Single Sign-On (SSO), allowing your organization members to authenticate through your identity provider (IdP). Once configured and verified, users with matching email domains are automatically redirected to your IdP for authentication. This guide covers:
  1. Configuring SSO in StackOne
  2. Setting up a SAML application in Okta
  3. Completing the SSO registration
  4. Verifying your domain

Prerequisites

  • Org Admin role in your StackOne organization
  • Access to your identity provider’s admin dashboard (e.g., Okta)
  • Ability to manage DNS records for your organization’s domain

Configure SSO in StackOne

Navigate to Organization Settings > Security > SSO to begin the setup process. StackOne walks you through a three-step configuration flow.
1

Copy the Service Provider details

The first step displays two values you’ll need when configuring your identity provider:
  • ACS URL (Assertion Consumer Service URL) — the endpoint where your IdP sends SAML assertions
  • SP Entity ID (Service Provider Entity ID) — the metadata URL that identifies StackOne as the service provider
Enter a Provider ID at the bottom of this step. This is a unique identifier for your SSO configuration (e.g., your-company-sso). It must be lowercase and can contain letters, numbers, hyphens, and dots.The ACS URL and SP Entity ID update automatically based on your Provider ID.
SSO setup step 1 showing ACS URL and SP Entity ID fields
Copy both values — you’ll paste them into your identity provider in the next section.
2

Configure your identity provider

After setting up the SAML application in your IdP (see Okta example below), collect these three values from the IdP:
  • Identity Provider Issuer (Entity ID) — the IdP’s unique identifier URL
  • Identity Provider Single Sign-On URL — the IdP’s login endpoint
  • X.509 Certificate — the signing certificate in PEM format
SSO setup step 2 showing fields to enter identity provider values
3

Register the SSO provider

Fill in the registration form with the values collected from your IdP:
FieldDescriptionExample
Provider IDUnique identifier (set in step 1)acme-corp-sso
DomainEmail domain for SSO usersacme.com
Entity ID (Issuer)IdP issuer URL from step 2http://www.okta.com/exk...
SSO URL (Entry Point)IdP login URL from step 2https://acme.okta.com/app/.../sso/saml
X.509 CertificateSigning certificate from step 2-----BEGIN CERTIFICATE-----...
Click Register SSO Provider to save the configuration.
SSO registration form with all fields filled in

Set Up a SAML Application in Okta

This section walks through creating a SAML 2.0 application in Okta. If you use a different identity provider, the general flow is similar — you’ll need to provide the ACS URL and SP Entity ID from StackOne, then retrieve the IdP issuer, SSO URL, and certificate.
1

Create a new application

In your Okta admin dashboard, go to Applications > Applications and click Create App Integration.Select:
  • Sign-in method: SAML 2.0
Click Next.
Okta Create App Integration dialog with SAML 2.0 selected
2

Configure general settings

Enter a name for the application (e.g., “StackOne SSO”) and optionally upload a logo.Click Next.
Okta general settings page for the SAML application
3

Configure SAML settings

In the SAML Settings section, enter the values from StackOne’s SSO setup (step 1):
Okta FieldValue from StackOne
Single sign-on URLACS URL
Audience URI (SP Entity ID)SP Entity ID
Name ID formatEmailAddress
Application usernameEmail
Okta SAML settings configured with StackOne ACS URL and Entity ID
Click Next, then Finish.
4

Copy the IdP values

After creating the application, go to the Sign On tab and on the right you will find the SAML Setup section. Click View SAML setup instructions.From here, copy:
  • Identity Provider Single Sign-On URL
  • Identity Provider Issuer
  • X.509 Certificate
Okta Sign On tab showing IdP metadata and certificate
5

Assign users

Go to the Assignments tab and assign the users or groups that should have access to StackOne via SSO.
Okta Assignments tab for adding users to the SAML application

Complete the SSO Registration in StackOne

Return to the StackOne SSO setup page and paste the values from Okta into the Step 2 and Step 3 fields as described in Configure SSO in StackOne. After clicking Register SSO Provider, you’ll see a provider card with your SSO configuration details.
SSO provider card showing configuration details and verification status

Verify Your Domain

Domain verification is required to activate SSO. This ensures your organization owns the email domain used for SSO authentication.
1

Copy the DNS TXT record

On the SSO provider card, find the Domain Verification section. It displays a DNS TXT record in this format:
_stackone-sso-verification-token-{providerId}={verificationToken}
Copy the full record value.
Domain verification section showing the DNS TXT record to add
2

Add the TXT record to your DNS

Go to your domain’s DNS management panel (e.g., Cloudflare, Route 53, GoDaddy) and add a new TXT record with the value from the previous step.
DNS propagation can take up to 48 hours, though it typically completes within minutes to a few hours.
3

Verify the domain in StackOne

Return to the StackOne SSO settings and click Verify Domain. If the DNS record has propagated, you’ll see a success message confirming that SSO is active.If verification fails, wait for DNS propagation and try again.
SSO provider card showing verified domain status

Managing Your SSO Configuration

Once SSO is configured, you can:
  • Edit SSO settings — Update the domain, issuer, entry point, or certificate by clicking Edit SSO on the provider card
  • Delete SSO — Remove the SSO configuration entirely by clicking Delete SSO
Deleting your SSO configuration will require all organization members using SSO to sign in with email and password instead. Make sure affected users have alternative credentials before removing SSO.

Troubleshooting

SymptomLikely CauseFix
SSO tab not visibleFeature not enabled for your organizationContact StackOne support to enable SSO
Domain verification failsDNS record hasn’t propagatedWait and retry — propagation can take up to 48 hours
SAML login fails with “Invalid certificate”Certificate mismatchRe-copy the X.509 certificate from your IdP and update in StackOne
Users not redirected to IdPDomain not verifiedComplete the domain verification step
”403 Forbidden” errorUser lacks Org Admin roleEnsure you have the Org Admin role to manage SSO settings