Caddi supports SAML 2.0 single sign-on (SSO) with any compliant identity provider (IdP), including Okta, Microsoft Entra ID (Azure AD), Google Workspace, OneLogin, and Ping Identity. This guide walks your IT team through configuring SSO so your team can sign in to Caddi using your existing identity provider.
SSO setup is currently a guided process. Our support team will configure the Caddi side of the connection once you provide the required information from your IdP. We do not yet offer self-service SSO configuration in the Caddi UI.
How the setup process works
Contact Caddi support to initiate SSO setup. We'll send you the connection details (URLs and identifiers) to use in your IdP.
Configure your identity provider with those details and the required SAML attributes.
Send your IdP metadata back to support so we can complete the connection on our side.
Test the login flow with a pilot user before rolling out to the full team.
Typical end-to-end timeline is 1 to 3 business days once both sides have what they need.
Before you begin
SAML SSO is available on some Caddi's Enterprise plans. If you're not sure whether your contract includes it, check with your Caddi account team before starting.
You'll also need:
Admin access to your identity provider (for example, Okta Super Admin, Entra ID Application Administrator)
The list of email domains your users will sign in with (for example,
acme.com,acme.co.uk)
Step 1: Contact Caddi support
Email support@trycaddi.com with the subject line "SSO Setup Request" and include:
Your company name and Caddi organization name
The identity provider you'll be using (Okta, Entra ID, Google Workspace, etc.)
The email domain(s) your users will sign in with
The name and email of the primary technical contact for setup
Our support team will reply with two values you'll need in Step 2:
ACS URL (also called the "Single Sign-On URL")
Entity ID (also called the "Audience URI" or "SP Entity ID")
Step 2: Configure your identity provider
Required SAML settings (all IdPs)
Whichever IdP you use, the SAML application must be configured with the following:
Setting | Value |
Single Sign-On URL / ACS URL | Provided by Caddi support |
Entity ID / Audience URI / SP Entity ID | Provided by Caddi support |
NameID format |
|
NameID value | The user's email address |
Protocol binding | HTTP-POST |
Required SAML attributes
The SAML assertion sent to Caddi must include the following attributes. The attribute names must use these exact URIs:
Attribute name (URI) | Maps to | Required |
User email | Yes | |
First name | Yes | |
Last name | Yes |
If your IdP cannot send these exact attribute names, contact support and we can adjust the connection mappings on our side to match what your IdP sends.
Okta
Verified with Okta Identity Engine, May 2026.
In the Okta Admin Console, go to Applications > Applications and click Create App Integration.
Select SAML 2.0 and click Next.
On the General Settings screen, enter an App name (for example, "Caddi") and click Next.
On the Configure SAML screen, enter:
Single sign-on URL: the ACS URL from Caddi support
Audience URI (SP Entity ID): the Entity ID from Caddi support
Name ID format:
EmailAddressApplication username:
EmailUpdate application username on:
Create and update
Scroll down to Attribute Statements and add the following three attributes:
Name | Name format | Value |
URI Reference |
| |
URI Reference |
| |
URI Reference |
|
If you see "Invalid property" errors, your tenant may be running the older Okta Classic Engine. In that case, use user.email, user.firstName, and user.lastName instead. Most modern tenants run Identity Engine.
6. Leave all other SAML settings at Okta's defaults. For reference, these are the values we've tested with:
Setting | Value |
Default Relay State | (empty) |
Response | Signed |
Assertion Signature | Signed |
Signature Algorithm | RSA_SHA256 |
Digest Algorithm | SHA256 |
Assertion Encryption | Unencrypted |
SAML Single Logout | Disabled |
SAML Signed Request | Disabled |
authnContextClassRef | PasswordProtectedTransport |
Honor Force Authentication | Yes |
7. Click Next, complete the feedback screen, and click Finish.
8. Go to the Assignments tab and assign the users or groups who should have access to Caddi.
9. Go to the Sign On tab. Under SAML Signing Certificates, locate Identity Provider metadata. Right-click the link and choose Save Link As to download the metadata XML file.
[Screenshot placeholder: Sign On tab with the IdP metadata link highlighted]
Other identity providers
Caddi is compatible with any SAML 2.0 IdP. We've currently documented the step-by-step flow only with Okta, so for other IdPs (Entra ID, Google Workspace, OneLogin, Ping Identity, etc.), your IT team should configure a custom SAML application using the values in Required SAML settings and Required SAML attributes above.
If you encounter issues configuring a non-Okta IdP, reach out to support and include:
The IdP you're using
A copy of the SAML response (most IdPs offer a "SAML Tracer" extension or a test login feature that captures this)
Your SAML configuration / related settings
Any error message shown during login
We'll work with you to adjust the connection on our side.
Step 3: Send your configuration to Caddi support
Reply to your support thread with:
The IdP metadata XML file from Step 2 (Okta: step 9), or
The following values pulled from your IdP:
Sign-In URL (IdP SSO endpoint)
X.509 Signing Certificate
Issuer (IdP Entity ID)
Metadata XML is preferred since it contains everything we need in one file.
Caddi support will then finish provisioning the connection on our side. This typically takes a few hours during business days.
Step 4: Test the login flow
Once support confirms the connection is live:
Go to the Caddi login page.
Enter the email address of a user you assigned to the SAML app in Step
You should be redirected to your IdP. Complete the login there.
You'll be returned to Caddi and signed in.
How users are provisioned
New users. When a user signs in via SSO for the first time, a Caddi account is automatically created for them and they're added to your organization as a member. There's no separate provisioning step required (Caddi does not currently support SCIM).
Existing Caddi users. If a user already has a Caddi account (for example, they were invited before SSO was enabled), their existing account is automatically linked to their SSO identity on first SSO login, as long as the email address matches. They keep their account history and permissions.
Password login after SSO is enabled. By default, users in your organization can still sign in with their existing password as an alternative to SSO. If you want to enforce SSO as the only sign-in method, open a support ticket and we'll disable other login methods for your organization.
Troubleshooting
"Your organization is not yet configured with Caddi" Caddi received the login but couldn't match it to your organization. Contact support and we'll verify the connection link on our side.
Login completes but Caddi shows an error about a missing email The SAML assertion did not include an email attribute. Confirm the Attribute Statements in Step 2 are configured exactly as shown, including the full URI as the Name (not a friendly name like "email").
Login redirect loops or returns to the IdP without signing in Usually a NameID mismatch. Confirm that Name ID format is set to EmailAddress (not Unspecified) and that the NameID value is the user's email.
Anything else Email support@trycaddi.com with the affected user's email, the approximate time of the login attempt, and any error message displayed. Our team can pull the corresponding logs to diagnose.