Set Up Okta SAML SSO

Dernière mise à jour April 3, 2026

This guide walks you through configuring SAML 2.0 SSO between Okta and Compound. After setup, team members with your verified domain will authenticate through Okta when signing in to Compound.

Prerequisites

  • A Compound team with a verified email domain. See Set Up SSO for Compound to create a team and verify your domain.
  • Team Owner role in Compound and Admin role in Okta.
Important

Complete domain verification before starting this guide. SSO configuration will fail if your domain is not verified.

Setup procedure

The setup requires going back and forth between the Okta Admin Console and Compound. You will create the app in Okta first with temporary placeholder values, then enter Okta’s IdP metadata into Compound, and finally update Okta with the SP metadata that Compound provides.

Create a SAML application in Okta

  1. Sign in to the Okta Admin Console.
  2. Navigate to Applications > Applications in the left sidebar.
  3. Click Create App Integration.
  4. Select SAML 2.0 as the sign-in method and click Next.
  5. On the General Settings page:
    • App name: Enter Compound (or your preferred display name).
    • Optionally upload the Compound logo.
    • Click Next.

Configure SAML settings in Okta

On the Configure SAML page, enter the following values. You will use temporary placeholders for now and update them after Compound provides the real SP metadata.

  • Single sign-on URL: Enter https://example.com/placeholder (you will replace this in a later step).
  • Audience URI (SP Entity ID): Enter placeholder (you will replace this in a later step).
  • Name ID format: Select EmailAddress.
  • Application username: Select Email.

Under Attribute Statements, add the following (recommended):

NameValue
emailuser.email
nameuser.firstName

Leave all other settings at their defaults and click Next.

On the Feedback page, click Finish.

Download the IdP metadata XML from Okta

  1. After creating the app, you are taken to the application’s Sign On tab.
  2. Scroll down to the SAML Signing Certificates section.
  3. Find the Active certificate and click Actions > View IdP metadata.
  4. A new browser tab opens with the metadata XML. Right-click the page and select Save As to download the file (e.g., metadata.xml).
Tip

Downloading the metadata XML is the easiest approach. It contains the Entity ID, SSO URL, and X.509 certificate in a single file, so you do not need to copy each field individually.

Upload metadata XML in Compound

  1. In Compound, navigate to Settings > Team.
  2. Scroll to the SSO Configuration section.
  3. Click the SAML protocol button to select SAML 2.0.
  4. Click Upload Metadata and select the metadata.xml file you downloaded from Okta.
  5. A green Metadata loaded indicator appears confirming the file was parsed successfully.
  6. Click Save SSO Configuration.

Compound processes the metadata and creates the SAML provider. After saving, the SSO Configuration section updates to show an SSO is active status along with your SP metadata.

Note

If you prefer not to upload the XML file, you can manually enter the three required fields instead: IdP Entity ID, SSO URL, and X.509 Certificate. These values can be found on the Okta application’s Sign On tab under SAML Setup.

Copy SP metadata from Compound and update Okta

After saving, Compound displays the Service Provider (SP) metadata that Okta needs. You will see two values:

  • ACS URL (Assertion Consumer Service URL) — the endpoint where Okta sends SAML assertions.
  • SP Entity ID — the unique identifier for Compound as a service provider.

Copy both values, then return to the Okta Admin Console:

  1. Go to Applications > Applications and select your Compound app.
  2. Click the General tab, then click Edit in the SAML Settings section.
  3. Click Next to advance to the Configure SAML step.
  4. Replace the placeholder values:
    • Single sign-on URL: Paste the ACS URL from Compound.
    • Audience URI (SP Entity ID): Paste the SP Entity ID from Compound.
  5. Click Next, then Finish.
Important

The ACS URL and SP Entity ID must match exactly between Compound and Okta. A mismatch will cause SAML assertions to be rejected during sign-in.

Assign users and groups in Okta

Users must be assigned to the Compound application in Okta before they can sign in via SSO.

  1. In the Okta Admin Console, go to your Compound application.
  2. Click the Assignments tab.
  3. Click Assign and select either Assign to People or Assign to Groups.
  4. Select the users or groups that should have access to Compound, then click Done.

Test the connection

  1. Open a new browser window (or use incognito/private mode).
  2. Go to the Compound sign-in page.
  3. Enter an email address that belongs to your verified domain (e.g., user@acme.com).
  4. Compound should detect your SSO configuration and display a Continue with SSO prompt showing your team name.
  5. Click the SSO button. You should be redirected to Okta for authentication.
  6. After signing in through Okta, you should be redirected back to Compound and signed in.
Tip

Test with a user account that is already assigned to the Compound app in Okta. If the user is not assigned, Okta will display an access denied error.

Troubleshooting

”Enterprise SSO requires a verified domain”

Your domain has not been verified yet. Go to Settings > Team, ensure your email domain is set, and complete the domain verification process.

SAML assertion errors or “invalid response”

  • Verify that the ACS URL in Okta matches exactly what Compound shows in the SP metadata section.
  • Verify that the Audience URI in Okta matches the SP Entity ID shown in Compound.
  • Make sure the Okta signing certificate is active and not expired.

User sees regular password sign-in instead of SSO

  • Confirm the user’s email domain matches the verified domain on your team.
  • Check that the user is entering their full email address on the Compound sign-in page — SSO detection is triggered after the email is entered.

”User not assigned to app” error in Okta

The user has not been assigned to the Compound application in Okta. Go to the Assignments tab in the Okta Admin Console and add the user or their group.

Metadata upload fails

  • Make sure the file is a valid XML file with the .xml extension.
  • The XML must contain an entityID attribute, at least one SingleSignOnService element with an HTTP-Redirect or HTTP-POST binding, and an X509Certificate element.
  • Try downloading a fresh copy of the metadata from Okta.