How to configure Okta SAML SSO

Before you begin

You'll need:

• A Teams or Enterprise Calendly plan: 
  • Teams plan users: Add the SSO feature from your Billing page ($3 per user/month). 
  • Enterprise plan users: SSO is included
• To be a Calendly Owner or Admin.
• To use the same email address in both Calendly and Okta. 

Okta SAML SSO features

What's supported:

• Identity Provider Initiated SSO (IdP-initiated)
  • Login through Okta and open Calendly from the dashboard. 
  • Requires a Default Relay State in Okta. 
• Service Provider Initiated SSO (SP-initiated)
  • Users can log in via calendly.com and your identity provider will authenticate the user.

Not supported:

• Just-in-Time (JIT) user creation is not supported. You can provision users with SCIM.

Configure Okta SAML SSO

Add Calendly as an Okta application

1. Open the Okta admin dashboard.
2. Select Applications > Add Application.
3. Select Browse App Catalog.
4. Search for the Calendly and select Add. 
5. Under General Settings, review:
   • Application Visibility - Check Do not display application icon to users to hide during setup. (You will need to change this after configuration to make the app visible to your users.)
   • Browser plugin auto-submit
6. Select Next.
7. Select SAML 2.0 under Sign On Methods. 
8. Select View Setup Instructions.
9. Keep this tab open. 

Configure Okta SAML SSO on Calendly

1. Open the Okta admin dashboard and select Applications, Calendly (or whatever you chose to name the Calendly application)
2.  Select the Sign On tab. 
3. Select View Setup Instructions. 
4. In a new tab, go to your Calendly home page.
5. Open your Admin center.
6. Select Login, then select Single Sign On.
7. In Okta, copy the Identity Provider Single Sign-On URL.
8. In Calendly, paste the URL into the Identity provider's SAML HTTP Request URL field.
9. In Okta, copy the Identity Provider Issuer. 
10. In Calendly, paste it into the Entity ID field.
11. In Okta, download the X.509 Certificate (PEM text format).
12. Upload the certificate into Calendly in the X.509 certificate for SAML authentication box. 
13. Set Session duration to the appropriate value for your organization’s security policies.
14. In Calendly, select Save & continue.

Update the Application SAML URLs within Okta

1. From the Okta admin dashboard, select Applications, Calendly (or whatever you chose to name the Calendly application).
2. Select the General tab. 
3. Scroll down to SAML Settings and select Edit.
4. Scroll down and select Next.
5. In Calendly, select Copy Audience URL.
6. Go to Okta and paste it in the Audience URI (SP Entity ID) field.
7. In Calendly, select Copy ACS URL.
8. Go to Okta and paste it in the Single sign on URL field.
9. (Optional, but required for IdP-initiated SSO.) In Calendly, select Copy default relay state. In Okta, paste it in the Default Relay State field.
10. In Okta, for Application username format select Email.
11. Select Save.

Test connection

1. Under the Assignments tab in Okta, assign your Okta user the Calendly application by selecting Assign > Assign to People.
2. Select the user to assign it to. 
3. If the user’s email is different from the one used to log in to Calendly, enter the correct email address in the User Name field.
4. Select Save and Go Back.
5. In Calendly, select Test Connection. If successful, you’ll see a confirmation and be able to proceed to the next step.

Enforce for your organization

1. In Okta, assign Calendly to the desired users. If you're assigning many users, you can follow these instructions from Okta.
2. In Calendly, select Enforce SAML SSO for my organization

Once SSO is enforced, all users will be logged out and need to use SSO to log into Calendly. Only the organization owner and admins can log in using their previous login method by selecting Log in using another method on the login page.