Single Sign On With Okta

Note: If you don't have access to the Single Sign On configuration screen, please reach out to our support team.

Currently, our Okta integration is a one-way integration. Users whose accounts are auto-provisioned with Okta are set to the member role.

To enable SSO with Okta:

  1. Log in as an owner of your FireHydrant organization.
  2. In the left nav, click Organization > Single Sign On.
  3. On the Single Sign On page, check the box labeled Enable SSO.
  4. Additional fields appear. In these fields, provide your IdP Login URL, IdP issuer, and IdP X509 certificate. 
  5. In Okta, go to the FireHydrant integration SSO page and click View Setup Instructions.
  6. On the next page, copy the Single Sign On URL, Identity Provider Issuer, and X509 certificate values. Enter these values into the fields in FireHydrant for your Single Sign On settings.


Domains are the email domains you use to send and receive messages. For example, if your email is , add to your domains list. When a user visits the FireHydrant login page (instead of using Okta to log in) and types in their email address, a prompt will direct them to log in with Okta instead.

Just-in-time provisioning

When a user is authenticated with Okta, they are automatically added to the organization with a member role if they do not have an account. Otherwise, accounts are matched on the email provided by Okta on a successful login. When a user is removed from Okta, they are not automatically removed from FireHydrant.


To test, leave your session in FireHydrant open, visit Okta in a new window or tab, and attempt to log in with your newly configured integration. Leaving your FireHydrant session open should prevent you from getting locked out of your account during setup. If you do encounter a lockout, submit a ticket on our contact form for help.

Last updated on 3/28/2023