SSO with SAML Example (Okta)


Before you start

Reach out to mabl support through in app chat or [email protected] to initiate the SAML setup process. You will need the single sign on url and audience values provided by support in order to complete the setup.

Outlined here is the SAML set up process using Okta as an example of mabl SSO integration. This should work with other SAML identity providers with a similar setup. If you use Azure, try these docs instead: Single sign on with SAML: Azure

Within Okta, create a new application. (It should be a Web application, and select SAML 2.0)


Choose an app name and upload a logo. (We've provided a Mabl logo below)

1387 303

General settings

Enter these general settings:
single sign-on URL Provided by mabl support
Audience URI (SP Entity ID) Provided by mabl support




If using OneLogin as your Identity Provider, you will need to enter the Audience URI value provided by mabl in both the "SAML Consumer Url" and "SAML Recipient" fields.

You'll need to add these required attributes:
Name: email Name Format: Basic Value:


Click Next:

Select I'm an Okta customer adding an internal app
Check Contact App Vendor: It's required to contact the vendor to enable SAML


Click Finish.

On the following page, you'll find the information necessary to send to mabl to complete the setup by clicking View Setup Instructions;


Write down these values and pass¹ them off to mabl support

  • Identity Provider Single Sign-On URL
  • Identity Provider Issuer
  • X.509 Certificate (CER or PEM format)


X.509 Certificate Security

This is a public key certificate. This means there is no security risk passing this to mabl through normal channels.


Additional e-mail domains

If you have additional domains for your workspace, for example your main connection is for [email protected] and you will also have users logging into your workspace with [email protected] let our support team know when configuring your SAML connection and mabl can add those domains to your domain lock as well. Any additional domains will also be included in the domain lock. You may only use domains that your company fully owns.


mabl Login Domain Restriction

Once configured, users attempting to sign up using the designated fully qualified domain name (e.g. will be required to originate from your designated SAML provider.

After mabl gets this information and sets up the required connection to your SAML application, your organization will be able to log in and restrict access using your identity provider of choice.