1. What is Okta SSO?
Okta SSO (Single Sign-On) is a cloud-based identity management service that allows users to authenticate and access multiple applications with a single set of credentials. It eliminates the need for users to remember multiple usernames and passwords for different applications, providing a seamless and secure login experience.
2. What is SAML?
SAML (Security Assertion Markup Language) is an XML-based open standard for exchanging authentication and authorization data between identity providers (IdPs) and service providers (SPs). It enables SSO by allowing the identity provider to authenticate the user and assert their identity to the service provider.
3. How does Okta SSO with SAML work?
Integrating Okta SSO with SAML involves configuring Okta as the identity provider and Veryfi API Portal as the service provider. When a user tries to access Veryfi API Portal, they are redirected to Okta for authentication. Once the user is authenticated, Okta generates a SAML assertion containing the user's identity information and sends it to Veryfi, where SAML assertion is verified and access to the user is granted.
4. What are the prerequisites for integrating Okta SSO?
To integrate Okta SSO with SAML, you need the following:
An Okta account: Sign up for an Okta account if you don't have one.
Access to Veryfi API Portal Keys Settings: Ensure you have administrative access to Keys Settings to configure the SAML integration.
SAML configuration details such as Veryfi Application Callback URL, Sign on URL, Sign out URL, Issuer and Signing Certificate
π Access to SSO is not enabled by default for your user account. To request access, please reach out to our support team [email protected].
5. How do I integrate Okta SSO with Veryfi?
Here's a general overview of the steps involved in integrating Okta SSO with Veryfi:
Log in to your Okta account.
Navigate to the Okta Admin Console β Applications
Create a new SAML 2.0 application
β
Add application name
β
Go to Configure SAML Tab
β
Now, switch to Veryfi API Portal and navigate to Keys Settings
β
Click Add SSO Credentials
β
Copy the Application Callback URL.
Switch back to Okta and paste Veryfi Application Callback URL to Single sign-on URL field
β
Fill in Okta Audience URI fields with https://app.veryfi.com
β
Navigate to Feedback Tab and Finish configuration
Once the application is added, click on the "Sign On" tab within the application configuration page and expand SAML2.0 details
β
Expand SAML metadata for the identity provider. You will need next values to configure Veryfi SSO Credentials: Sign on URL, Sign out URL, Issuer and Signing Certificate.
β
Now, switch to Veryfi API Portal SSO Credentials configuration.
βProvide the SAML configuration details obtained from Okta in the appropriate fields.
Fill in Provider fields with "Okta" value
Fill in Entity ID with Okta's Issuer value
Fill in SSO URL with Okta's Sign on URL value
Fill in SLO URL with Okta's Sign out URL value
Fill in Certificate with Okta's Signing Certificate value
β
Save SSO Credentials
Test the integration by switching back to Okta
Go to Assignment Tab and Select Assign to People
Assign users to access Veryfi
β
Go to My End User Dashboard
β
Go to Okta application settings, and add the following settings (currently under "Show legacy configuration"):
Click on the Veryfi app and you will be automatically logged in Veryfi API Portal
β
β
Veryfi SSO Self-Debugging Guide
For Okta and Microsoft Entra (Azure AD) setups
Before You Start
SSO is not self-service. It must be enabled on your Veryfi account by the support team before the configuration section appears. If you don't see "Single Sign-On" under Settings > Keys, contact your Veryfi account manager and ask them to enable it first.
Step 1: Setting Up the SAML App in Your IdP
Entra (Azure AD)
These are the exact values you need:
Field | Value |
Entity ID (Identifier) | |
Reply URL (Callback URL) | Copy from Veryfi Settings > Keys > Application Callback URL |
Sign-on URL | Copy from Veryfi Settings > Keys |
The #1 mistake: Adding a trailing slash to the Entity ID. https://app.veryfi.com/ breaks it. No slash.
The Callback URL changes every time you open settings. That's expected. You just need whatever value is shown when you're actively configuring.
Okta
Use the SAML 2.0 app template. The Entity ID and ACS URL come from Veryfi Settings > Keys. Okta users generally hit fewer friction points than Entra users, but the same Entity ID rule applies.
Step 2: Copying the Certificate
This is where most Entra setups break.
When you download the x.509 certificate from Entra, it arrives formatted with line breaks. Veryfi needs it as a single continuous string with no spaces or newline characters.
Before pasting the certificate into Veryfi:
Open the certificate file in a text editor
Remove all line breaks so it's one long string
Do not include the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- headers, just the base64 content
If the certificate has any spaces or line breaks, SSO will appear to save but will fail on login.
Step 3: Testing the Connection
After saving your config in both Veryfi and your IdP, do not try logging in at app.veryfi.com/auth/login/. There is no SSO button on that page. That's expected.
How to log in with SSO:
Entra users: Go to your Microsoft MyApplications portal (myapps.microsoft.com) and click the Veryfi app. Your IT team needs to assign users to the app in Entra first.
Okta users: Use your Okta dashboard tile.
Direct navigation to the app URL will not trigger SSO.
Step 4: Diagnosing a 500 Error on /saml2/
A POST https://app.veryfi.com/saml2/ 500 (Internal Server Error) on first login has a few possible causes.
Work through these in order:
Check 1: Entity ID Compare the Entity ID in your IdP app against what Veryfi expects. Even a trailing slash causes this error.
Check 2: Certificate formatting Re-check the certificate for spaces or newlines. When in doubt, re-export from your IdP and re-paste.
Check 3: Callback URL mismatch This happens if the SSO config in Veryfi was deleted and recreated after the IdP was configured. The Reply URL in your IdP may point to an old callback URL.
Fix: Go to Veryfi Settings > Keys, note the current Application Callback URL, then update the Reply URL in your IdP to match.
Check 4: It might be on Veryfi's side Some 500 errors are backend bugs unrelated to config. If you've verified all three above, contact Veryfi support with a screenshot and the timestamp of the failed attempt.
Step 5: Setting Up a Second Account (Multi-Account Customers)
If you have two Veryfi accounts (e.g., one for Receipts, one for Invoices) and need SSO on both, set up a separate IdP app for each. The "Add SSO credentials" button has a known bug where it becomes unresponsive when adding a second configuration. If this happens, contact Veryfi support directly to add it on the backend.
What SSO Covers (and What It Doesn't)
SSO applies to the Veryfi Hub/portal only. The Lens SDK uses API key authentication and does not support SSO. If you're building a mobile integration with Lens, your users authenticate with API keys, not via your IdP.
Quick Checklist Before Contacting Support
SSO is enabled on my Veryfi account (I can see it in Settings > Keys)
Entity ID is https://app.veryfi.com with no trailing slash
Certificate is a single string with no spaces or newlines
Reply URL in my IdP matches the current Callback URL from Veryfi Settings
I'm logging in via MyApps/Okta dashboard, not the Veryfi login page
Users are assigned to the app in my IdP
If all of the above are confirmed and login still fails, collect the error message, browser console output, and a timestamp, then open a support ticket, please email [email protected] for personalized assistance.
Access via SSO is not enforced by default, please make sure that it s working as expected before enforcing it as the only possible login method. Refer to this article for more information