How to configure Single Sign-On to Continu using Okta as the identity provider, via SAML 2.0.
Continu supports SAML 2.0 single sign-on. When configured, users authenticate through your identity provider rather than entering Continu-specific credentials. The integration handles login, plus optional attribute pass-through (first name, last name, additional fields).
This guide covers Okta specifically. For other identity providers, see the related articles linked below. For the strategic context on user provisioning and identity, see Provisioning and Sync: How User Data Flows Into Continu.
How to Configure Okta SSO
1. In the Okta admin view, select the Applications tab and click Create App Integration.
2. Select SAML 2.0, then click Next.
3. Set the application name (this appears to users). Optionally upload a logo. Click Next.
4. In Single sign on URL, enter your Continu URL followed by /saml/consume — using HTTPS. Example: https://company.continu.co/saml/consume.
Under Audience URL, enter your Continu URL followed by /saml/sp. Example: https://company.continu.co/saml/sp.
Leave the remaining fields with their defaults.
5. In Attribute Statements, click Add Another twice for a total of three attribute rows. Configure:
Row 1: Name email, value user.email
Row 2: Name firstName, value user.firstName
Row 3: Name lastName, value user.lastName
Casing matters — match exactly.
6. Click Next, fill out the feedback fields if you'd like, then Finish.
7. On the Sign On tab, click View Setup Instructions. Copy the Identity Provider Single Sign-On URL and the X.509 Certificate.
8. In Continu, go to Admin > Integrations and select SAML 2.0.
9. Paste the Identity Provider Single Sign-On URL into SAML 2.0 Endpoint, and the X.509 Certificate into the matching field.
10. Click Submit. Assign the Continu app to the appropriate Okta users.
Configuration Pitfalls
Attribute Casing Mismatch. Continu expects firstName and lastName with the specific casing. Wrong casing means user names don't pass through.
Missing the /saml/consume Path. The Single sign on URL must end in /saml/consume. Pointing it at the bare Continu URL fails authentication.
HTTP Instead of HTTPS. SAML endpoints require HTTPS. Using HTTP fails silently or produces unclear errors.
Forgetting to Assign Users in Okta. The Okta application created here doesn't automatically grant any user access. Users still need to be assigned to the Continu app in Okta.
X.509 Certificate Pasting Errors. Copying the certificate from the Okta setup instructions sometimes adds extra whitespace or breaks. Paste carefully and verify the certificate starts with -----BEGIN CERTIFICATE-----.
Where This Fits
You're here because you're configuring Okta SSO. For other identity providers, see the related articles. For the broader provisioning context, see Provisioning and Sync: How User Data Flows Into Continu.
See Also
- Provisioning and Sync: How User Data Flows Into Continu — the strategic anchor.
- Single Sign on via Google — Google Workspace setup.
- Single Sign on via JumpCloud — JumpCloud setup.
- Single Sign On via OneLogin — OneLogin setup.
- Active Directory (ADFS) using SAML 2.0 — Microsoft ADFS setup.