SSO Configuration for Okta Customers

Safety AZ allows users to login via Okta as Single Sign-On (SSO) using Express Configuration. This document details how to configure SSO for your organization.

Prerequisites

In order to proceed with configuring login with SSO through Okta, you must:

  • Have access to an Okta tenant
  • Be an Okta administrator to that tenant
  • Have an active Safety AZ enterprise license with available seats

Supported Features

  • Service Provider (SP)-Initiated Authentication (SSO) Flow - This authentication flow occurs when the user attempts to log in to the application from Safety AZ.
  • Just-In-Time (JIT) Provisioning - Users are automatically created on their first login if your enterprise license has available seats. Email and name attributes are provisioned.
  • Universal Logout - When enabled, Okta can terminate user sessions and tokens when risk is detected or when an admin initiates logout.
Info: Users and their access are automatically managed through JIT provisioning based on your enterprise license. Users are granted access if seats are available.

Configuration Steps

1

Request Admin Account

Send an email to salut@safety-az.com with the email address you want to use for the Express Configuration admin account.

2

Receive Credentials from Safety AZ

Safety AZ support will create an admin account and reply with:

  • A temporary password
  • An organization name unique to your company
3

Add Safety AZ Application in Okta

  1. In Okta, go to Applications → Browse App Catalog
  2. Search for Safety AZ and click Add Integration
  3. Click Done
4

Express Configure SSO

  1. On the newly created Safety AZ application, click the Sign On tab
  2. Click Express Configure & Universal UL
  3. Enter the organization name provided by Safety AZ
  4. When prompted for credentials, enter the admin email and temporary password provided by Safety AZ
  5. On the next screen, approve the connection with Safety AZ to complete the setup
5

Enable Universal Logout

  1. On the Sign On tab of the Safety AZ application
  2. Check the box for Okta system or admin initiates logout
6

Notify Safety AZ

Send an email to salut@safety-az.com to confirm that you have completed the Express Configuration setup.

Safety AZ support will then:

  • Enable home realm discovery for your domain
  • Enable application access so your users can log in

Wait for confirmation from Safety AZ before proceeding to the next step.

7

Assign Users and Test

Once Safety AZ has confirmed the setup is complete:

  1. Assign the admin account to the Safety AZ application in Okta
  2. Assign any other users or groups that should have access to Safety AZ
  3. Test the login flow by navigating to safety-az.com and logging in with the admin account
  4. You should be automatically redirected to your Okta SSO login
8

Confirm Completion

After successfully testing the login flow, send a final email to salut@safety-az.com to confirm everything is working.

Safety AZ will then remove the temporary admin account as it is no longer needed.

Tip: Since only SP-initiated flow is supported, Okta recommends hiding the app icon for users to avoid confusion.

SP-Initiated SSO (Logging Into Safety AZ Using Okta)

The sign-in process is initiated from Safety AZ.

  1. From your browser, navigate to safety-az.com
  2. Click the Log In button
  3. Enter your enterprise email address
  4. You will be automatically prompted to authenticate with Okta
  5. Enter your Okta credentials (email and password) and sign in
  6. If your credentials are valid, you are redirected to the Safety AZ dashboard.

Universal Logout

When Universal Logout is enabled, Okta can terminate user sessions across all applications when:

  • An administrator initiates a logout from the Okta Admin Console
  • The Okta system detects risk and terminates sessions for security

This ensures that when a user is logged out of Okta, they are also logged out of Safety AZ.

Note: The access token lifetime is 30 minutes.

Just-In-Time (JIT) Provisioning

With JIT provisioning enabled, users are automatically created in Safety AZ when they first sign in via Okta.

How it works:

  • When a user authenticates via Okta for the first time, Safety AZ checks if your enterprise license has available seats
  • If seats are available, a new user account is automatically created with the email and name from Okta
  • The user is granted access to Safety AZ immediately
  • If no seats are available, the user will be notified and will not be able to access Safety AZ

Attributes Provisioned:

  • Adaugă o adresă de email validă
  • Nume complet
Info: Role assignment is managed separately within Safety AZ and is not currently mapped from Okta attributes.

Notes

  • Safety AZ only allows SSO-based login and does not support password-based login for enterprise accounts
  • Please ensure that all users who need access to Safety AZ can authenticate using Okta
  • Users are automatically provisioned if your license has available seats

Troubleshooting

If you encounter any issues during configuration or login, please contact Safety AZ support at salut@safety-az.com.