Integrating Okta with env0 as a SAML provider


This guide will detail the various steps required to integrate Okta as a SAML provider for your env0 organization. The current implementation supports SAML 2.0 and is used for authentication only, where you define your users in your Okta account to enable them access to your env0 organization. You can also add env0 as an application in your user application dashboard.
In addition, we also support group syncing of the logged in user to match those with env0 teams.


  1. Login to the Okta admin console
  2. Go to the Applications > Applications
  3. Click on the Add Application button
  4. Click on the Create New App button
  5. Choose Web and SAML 2.0 and click on the Create button

  1. Set the application name to env0 and upload a logo and click on Next
  2. In the Single sign on URL enter https://login.app.env0.com/login/callback?connection=YOUR_ENV0_ORG_ID
  3. In the Audience URL (SP Entity ID) enter urn:auth0:env0:YOUR_ENV0_ORG_ID
    e.g. urn:auth0:env0:aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
  4. In the Name ID format put Unspecified
  5. Click on the Show Advanced Settings

  1. Change the Assertion Encryption to be Encrypted and upload the PEM located here
  2. Download the Okta Certificate, we will need it later on
  3. In the ATTRIBUTE STATEMENTS add the following:
name${user.firstName} ${user.lastName}

  1. Leave the rest of the default values and click Next
  2. If you would like to set up groups as well you should do the following:
  • In the Group Attribute Statements (optional) add and Attribute
  • The name should be teams and then set the filter according to what you wish. For example, to get all groups set a regex filter with the value of (.*?)


Teams syncing

Teams will be synced each time a user logins with the following logic:

  1. env0 will create a new team if one doesn't exists based on the group name we received from the SAML provider.
  2. If the team exists in env0 we will not create a new team.
  3. We will assign the user to all the teams in env0 based on the group names he/she is part of in the SAML provider..
  4. If the user was removed from a group in the SAML provider we will remove him/her from the team in env0.
  1. Choose I’m an Okta customer adding an internal app and click on Finish.
  2. In the Sign on Tab and click on the View Setup Instructions button.

  1. Copy the Identity Provider Single Sign-on URL, then upload with the Okta Certificate to https://www.env0.com/env0-setup-saml-single-sign-on