Single Sign-On With Okta

Configure Single Sign-On for Statsig with Okta using OIDC, including app integration, claim mappings, and role assignment for invited users.

Requirements

You must be the Admin of the Statsig Organization you intend to add SSO with Okta to.
You must be the Administrator of the Okta account you want to link.

Statsig supports the OIDC protocol for SSO with the following flows:

Service Provider(SP)-Initiated Authentication for Single Sign-On (SSO). This flow starts when you log in on the Statsig website.
Identity Provider(IDP)-Initiated Authentication for SSO. This flow starts when you launch the Statsig App from Okta.
Just-In-Time (JIT) provisioning for SSO. Upon successful first-time login, Statsig automatically provisions an account for the user.

Navigate to your Okta portal.
On your Okta portal, click on Applications on the left-hand-column, and click into Applications in the dropdown.
On the Applications page, click on the Browse App Catalog button.
On the App Catalog page, use the searchbox to search for Statsig and click on the Statsig OIDC Application.
In the Statsig Application, click on the Add button.
After creating the Statsig OIDC Application in Okta, go to the Sign On tab to find the Client ID and Client Secret fields. You need both values to enable SSO on the Statsig Project. Statsig automatically configures the sign-in and sign-out redirect URIs.

After completing these steps, you have configured the Statsig OIDC Application in Okta. Navigate to SSO configuration on your Statsig Organization to finish setup.

Navigate to https://console.statsig.com/sso
Enter your email address and click on "Authenticate"
Statsig redirects you to authenticate with Okta. If prompted, enter your Okta credentials.
After you authenticate, Statsig redirects you and logs you in.

Statsig doesn't currently support the PKCE Flow, so you need to turn off the feature in Okta when you enable SSO with Statsig.

Was this helpful?