Okta

Okta supports both OIDC and SAML. OIDC is simpler and is the default path we recommend. Before you start, grab your OIDC Redirect URL (for OIDC) or your SAML ACS URL and SAML Entity ID (for SAML) from the Endpoints for your IdP card on the Quippy admin portal’s SSO page.

1. In Okta

OIDC (recommended)
SAML 2.0

Sign in to the Okta admin console.
Applications → Applications → Create App Integration.
Choose OIDC — OpenID Connect and Web Application.
Give the app a name (e.g. “Quippy”) and upload a logo if you like.
Under Sign-in redirect URIs, paste the OIDC Redirect URL from Quippy.
Under Assignments, grant access to the users or groups that should be able to sign in to Quippy.
After saving, open the General tab and copy:
- Client ID
- Client secret
- Okta domain (used to build the issuer URL — it’s https://<your-domain>.okta.com/oauth2/default for the default authorization server).

Okta — Create App Integration (OIDC / Web Application).

Applications → Applications → Create App Integration → SAML 2.0.
General settings — name the app “Quippy”.
Configure SAML:
- Single sign-on URL — the SAML ACS URL from Quippy.
- Audience URI (SP Entity ID) — the SAML Entity ID from Quippy.
- Name ID format — EmailAddress.
- Application username — Email.
Save. On the Sign On tab, copy the Identity Provider Single Sign-On URL, the Identity Provider Issuer, and download the X.509 Certificate.
Assign people or groups under Assignments.

2. In Quippy

Back in the admin portal’s SSO page, paste the values you just collected.

OIDC
SAML 2.0

Quippy field	Value from Okta
Issuer URL	`https://<your-domain>.okta.com/oauth2/default`
Client ID	App → General → Client ID
Client Secret	App → General → Client secret

Quippy field	Value from Okta
IdP Entry Point	Sign On → Identity Provider Single Sign-On URL
IdP Entity ID	Sign On → Identity Provider Issuer
Signing Certificate	The PEM contents of the downloaded X.509 cert
Signature Algorithm	`SHA-256` (default)

3. Test connection

Click Test connection in the Quippy admin portal.

OIDC success — the test returns the authorization_endpoint, token_endpoint, jwks_uri, and whether PKCE is supported.
SAML success — the test confirms the entry point is reachable and responds with SAML metadata.

Then enable SSO — but keep a backup admin until your first SSO sign-in succeeds.

Common gotchas

Wrong authorization server → issuer mismatch

Okta has a default authorization server and may have custom ones. The issuer URL you paste into Quippy must match the one Okta uses to sign tokens. For most tenants it’s https://<domain>.okta.com/oauth2/default. If you created a custom server, the path will differ.

User not assigned to the app

Okta will return a valid sign-in session but fail the app authorization step. Assign the user or their group to the Quippy app under Assignments.

SAML cert pasted with extra whitespace

Strip any leading/trailing whitespace and make sure the PEM includes the full -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.

Getting Started

SSO

Webhooks

API Reference

1. In Okta

2. In Quippy

3. Test connection

Common gotchas

Getting Started

SSO

Webhooks

API Reference

​1. In Okta

​2. In Quippy

​3. Test connection

​Common gotchas

1. In Okta

2. In Quippy

3. Test connection

Common gotchas