How to configure Okta SAML SSO

Before you start…

  • You must be a Calendly account owner or admin to enable Single sign-on (SSO). 
  • You must use the same email address for both Calendly and Okta. 

Okta SAML SSO features

  • Identity Provider Initiated SSO (IdP-initiated) 

    • Users can log in to their identity provider and select the Calendly app.

    • Only available if your identity provider supports a Default Relay State.

  • Service Provider Initiated SSO (SP-initiated)

    • Users can log in via, and your identity provider will authenticate the user.

  • Just-in-Time (JIT) user creation is not supported. You can provision users with SCIM.

Step 1: Add Calendly as an Okta application

  1. Open the Okta admin dashboard and select Applications.
  2. Select Add Application.
  3. Select Browse App Catalog.
  4. Search for the Calendly application.
  5. Select the Add button for the Calendly application.
  6. In General Settings select the appropriate values for:
    • Application Visibility - If you want to temporarily hide the app while configuring, select the check box next to Do not display application icon to users. (You will need to change this after configuration to make the app visible to your users.)
    • Browser plugin auto-submit
  7. Select Next.
  8. Under Sign On Methods, select SAML 2.0.
  9. Select View Setup Instructions.
  10. Leave this tab open and proceed to Step 2.

Step 2: Configure Okta SAML SSO on Calendly

  1. If you no longer have your Okta window open after completing the previous steps, open the Okta admin dashboard and select Applications, Calendly (or whatever you chose to name the Calendly application), and select the Sign On tab.

  2. Select View Setup Instructions.

  3. In a new tab, navigate to your Calendly home page. Select Account, then Organization Settings, then Single Sign On.

  4. In Okta, copy the Identity Provider Single Sign-On URL. Then, in Calendly, paste into the Identity provider's SAML HTTP Request URL field.

  5. In Okta, copy the Identity Provider Issuer. Then, in Calendly, past into the Entity ID field.

  6. In Okta, download the X.509 Certificate (PEM text format) and upload it into Calendly in the X.509 certificate for SAML authentication box. (Alternatively the certificate may be copied and pasted into the correct field.)

  7. Set Session duration to the appropriate value for your organization’s security policies.
  8. In Calendly, select Save & continue.

Step 3: Update the Application SAML URLs within Okta

  1. From the Okta Admin dashboard, select Applications, Calendly (or whatever you choose to name the Calendly application), and select the Sign On tab. 

  2. In the top section labeled Settings, select Edit. Then scroll down to the Advanced Sign-on Settings section.
  3. In Calendly, select Copy Audience URL. Then, go to Okta and paste it in the Audience URI (SP Entity ID) field.
  4. In Calendly, select Copy ACS URL. Then, go to Okta and paste it in the Single sign on URL field.
  5. (Optional, but required for IdP-initiated SSO.) In Calendly, select Copy default relay state. In Okta, paste it in the Default Relay State field.
  6. In Okta, for Application username format select Email
  7. Select Save.

Step 4: Test connection

  1. Under the Assignments tab in Okta, assign your Okta user the Calendly application by selecting Assign, Assign to People, and the user to assign it to.

  2. If the user’s email is different from the one used to log in to Calendly, enter the correct email address in the User Name field and select Save and Go Back.

  3. In Calendly, select Test Connection. If successful, you’ll see a confirmation and be able to proceed to the next step.

Step 5: Enforce for your organization

  1. In Okta, assign Calendly to the desired users. If you're assigning many users, you can follow these instructions from Okta.

  2. In Calendly, select Enforce SAML SSO for my organization

Once SSO is enforced, all users will be logged out and need to use SSO to log into Calendly. Only the organization owner and admins can log in using their fallback (original) login method by selecting Log in using another method on the login page.