AdministrationWorkspacesSSO

Okta SAML SSO

Configure Okta as a SAML identity provider for ElevenLabs SSO.

Okta SAML SSO lets workspace members sign in to ElevenLabs through an Okta SAML 2.0 app integration.

SSO is available for Enterprise workspaces. Only Workspace admins can configure SSO settings.

ElevenLabs supports Service Provider (SP) initiated SAML SSO. To start sign-in, use https://elevenlabs.io/app/sign-in?use_sso=true. You can add email=user@example.com as a query parameter to prefill the email field.

Prerequisites

  • An Enterprise ElevenLabs workspace.
  • Workspace admin access in ElevenLabs.
  • Admin access in Okta.
  • A verified email domain in ElevenLabs for the users who will sign in through Okta.

Set up Okta SAML SSO

1

Open SSO settings in ElevenLabs

Go to Workspace settings > Security & SSO.

ElevenLabs Workspace settings Security and SSO tab
2

Select SAML as the SSO provider

In SSO Provider, select SAML. Copy the Service Provider Entity Id and Redirect URL values. You will use these values in Okta.

ElevenLabs SAML provider settings
3

Create an Okta app integration

In the Okta Admin Console, go to Applications > Applications, then click Create App Integration.

Okta Applications page with Create App Integration

Select SAML 2.0, then click Next.

Okta Create a new app integration dialog with SAML 2.0 selected
4

Add the app name

In General Settings, set App name to ElevenLabs, then click Next.

Okta Create SAML Integration general settings
5

Configure SAML settings in Okta

In SAML Settings, configure the app with the values from ElevenLabs:

  • Set Single sign-on URL to the ElevenLabs Redirect URL.
  • Select Use this for Recipient URL and Destination URL.
  • Set Audience URI (SP Entity ID) to the ElevenLabs Service Provider Entity Id.
  • Set Name ID format to EmailAddress.
  • Set Application username to Email.
Okta SAML settings for ElevenLabs
6

Assign users or groups

Open the Okta app’s Assignments tab and assign the users or groups that should be able to sign in to ElevenLabs.

Okta app Assignments tab
7

Add the Okta certificate to ElevenLabs

In Okta, open SAML Signing Certificates and use Actions > Download certificate for the active certificate.

Okta SAML Signing Certificates download certificate action

Open the certificate file and copy the full PEM certificate, including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.

Okta certificate file in PEM format

In ElevenLabs, click Add Certificate, paste the Okta certificate, then click Add.

ElevenLabs Add X509 Certificate dialog
8

Copy Okta metadata values into ElevenLabs

In Okta, open the IdP metadata XML. Copy the metadata values into ElevenLabs:

  • Use entityID for Identity Provider Entity Id.
  • Use the SingleSignOnService Location URL that ends in /sso/saml for Identity Provider Sign-In URL.
Okta IdP metadata XML showing entityID and SingleSignOnService Location
9

Add your allowed email domain

In ElevenLabs, click Add Domain and select the verified domain that matches the email domain of your Okta users.

ElevenLabs Add allowed email domains dialog
10

Save the SSO provider

Review the configuration, select I acknowledge this change will log out users currently using SSO, then click Update SSO.

Field mappings

Use this table to map Okta SAML settings to ElevenLabs SSO fields.

Okta field or locationElevenLabs fieldValue to use
Sign-in methodSSO ProviderSAML
Audience URI (SP Entity ID)Service Provider Entity IdUse the ElevenLabs value, for example https://elevenlabs.io
Single sign-on URLRedirect URLUse the ElevenLabs value, for example https://elevenlabs.io/__/auth/handler
Recipient URLRedirect URLSame as Single sign-on URL
Destination URLRedirect URLSame as Single sign-on URL
SAML Issuer ID or metadata entityIDIdentity Provider Entity IdOkta issuer, for example http://www.okta.com/exk...
Sign On URL or metadata SingleSignOnService LocationIdentity Provider Sign-In URLOkta SAML URL ending in /sso/saml
X.509 Certificate or metadata ds:X509CertificateCertificateOkta signing certificate in valid PEM format
Application usernameNo manual config requiredSet to Email
Name ID formatNo manual config requiredSet to EmailAddress
User or app email domain in OktaDomainMust match a verified ElevenLabs domain, for example company.com

Troubleshooting

Check the browser Network response for accounts:signInWithIdp. Okta System Log entries such as User single sign on to app SUCCESS only confirm that Okta authenticated the user. ElevenLabs can still reject the SAML response if the assertion values do not match the SSO configuration.

The browser Network response may show INVALID_IDP_RESPONSE: Error when parsing certificate. Remove the certificate from ElevenLabs, then re-add the Okta X.509 certificate in valid PEM format. Do not use an LLM to format the certificate. Copy the certificate exactly, including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.

Make sure Okta sends the user’s email address as NameID. In Okta, set Name ID format to EmailAddress and Application username to Email.

Use metadata entityID for Identity Provider Entity Id, SingleSignOnService Location for Identity Provider Sign-In URL, and ds:X509Certificate for Certificate.