---
title: "Configuring Okta SSO for HG Insights"
slug: "configuring-okta-sso-for-madkudu"
updated: 2026-01-29T09:31:31Z
published: 2026-01-29T09:31:31Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://help.madkudu.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configuring Okta SSO for HG Insights

You can use Okta as your identity provider to authenticate users to HG Insights. HG Insights supports SAML SSO initiated by both Okta (identity provider) and HG Insights (service provider).

## **Prerequisites**

- You have a HG Insights account with Admin permissions
- You have your HG Insights tenant number
- Your company has an existing Okta account to set up SAML SSO
- You have Admin permissions for your company's Okta account

## **Overview**

Single sign-on allows you to log in to your company's HG Insights account using your Okta company credentials. A connection is made between Okta, the identity provider (idP), and HG Insights, the service provider (SP), to allow users to directly connect to their HG Insights account.

Once you configured your company Okta account with HG Insights, you can follow these [i](https://support.zoom.us/hc/en-us/articles/360059671292)nstructions to manage users.

## **1. Add the HG Insights custom app to Okta**

1. In the Okta console, go to **Applications**.
2. Click **Create App Application**. ![](https://support.madkudu.com/hc/article_attachments/20645535878285)
3. Select **SAML 2.0** and click **Next**

![](https://cdn.document360.io/a55e7ea5-b8ac-4456-874d-10cc92097370/Images/Documentation/image(183).png)
4. This will take you to the General Settings page.
  - **App Name**: HG Insights
  - **App logo**: Grab the one [from our website in google images](https://www.google.com/search?q=madkudu+logo&amp;tbm=isch&amp;chips=q:madkudu+logo,online_chips:madkudu+inc:cjqkIMZQCgg%3D&amp;hl=en&amp;sa=X&amp;ved=2ahUKEwjZxL3H2IyCAxW2iO4BHe8BBa4Q4lYoAXoECAEQNg&amp;biw=1265&amp;bih=857#imgrc=etRbL5i_41NbFM)

![](https://cdn.document360.io/a55e7ea5-b8ac-4456-874d-10cc92097370/Images/Documentation/image(184).png)
  - **App visibility**: unchecked
5. Click **Next**. This will take you to the Configure SAML page.
  - **Single sign-on URL**: `https://access-api.madkudu.com/auth/sso/idp/&lt;TENANT_ID&gt;`, where `&lt;TENANT_ID&gt;` is your tenant number. When you connect to [admin.hginsights.com](http://admin.hginsights.com) you can see the tenant number in the URL (see below).

![](https://cdn.document360.io/a55e7ea5-b8ac-4456-874d-10cc92097370/Images/Documentation/image(797).png)
  - Check **Use this for Recipient URL and Destination URL**
  - **Audience URI (SP Entity ID)**: `https://bongo.madkudu.com/v1/login/saml/TENANT_ID`, where `TENANT_ID` is your tenant number.
  - **Default RelayState**: Leave blank.
  - **Name ID Format**: Select **EmailAddress.**
  - **Application username**: Select **Okta username**.
  - Click **Show Advanced Settings**.

![](https://cdn.document360.io/a55e7ea5-b8ac-4456-874d-10cc92097370/Images/Documentation/image(795).png)![](https://cdn.document360.io/a55e7ea5-b8ac-4456-874d-10cc92097370/Images/Documentation/image(796).png)
  - **Response**: Choose **Signed**.
  - **Assertion Signature**: Choose **Unsigned**.
  - **Signature Algorithm**: Choose **RSA-SHA256**.
  - **Digest Algorithm**: Choose **SHA256**.
  - **Assertion Encryption**: Leave as Unencrypted.
  - **Signature Certificate**: Download the certificate and upload it:

[](https://cdn.document360.io/a55e7ea5-b8ac-4456-874d-10cc92097370/Images/Documentation/certificate_okta_madkudu_2024_2027(1).pem)certificate_okta_madkudu_2024_20271.42 KB[**](https://cdn.document360.io/a55e7ea5-b8ac-4456-874d-10cc92097370/Images/Documentation/certificate_okta_madkudu_2024_2027(1).pem)

If you are unable to download the certificate, copy paste the text below in a text or code editor and "Save as" with a **.pem** extension:

```undefined
-----BEGIN CERTIFICATE-----
MIIEBDCCAuygAwIBAgIUewpr2QmqAeKzZfYm/M1opYe+IcYwDQYJKoZIhvcNAQEL
BQAwGjELMAkGA1UEBhMCRlIxCzAJBgNVBAMMAkNBMB4XDTI0MTEwNTEyNDYxNFoX
DTI3MTEwNTEyNDYxNFowGjELMAkGA1UEBhMCRlIxCzAJBgNVBAMMAkNBMIICIjAN
BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAx9/B8s8rLqIl1zRHIwW30JsQ0GPs
hzlrSpmcocPxODmHtyeBbloz4jpxmZNV/NSalFV45lqtd0a9VuGgoZB85yoH739f
gVCsYLSgYc27GzIJZZNu488EebaIR8mVxaaArPW5L9QuUQuqP87T7uPuPt4xXwaR
Hk4rSshPorEl3lp5PyueqSKWecLp+rAgDdIn2SlvZm+FR9kF/Iodml6CNq7nD+dP
FAYPKRGRJI8ZOMaVKBDBAh/oG6sXzA96JHSQbkEpK2YtiPskh8ePeRjHt91uFKdN
T2S/qFst6AHkQsR/Cpv5XsTggLOQCcDrpevbjgaBDUeV1uyy9DzK6a+5LBaC2cxt
eCNBWXn+pUSOboL3Jo4j4ILk62tcBMVZE+CLpvz92mQ/oMaIA2BRW9A3mG3d6mu7
p5kk+O92KBZLX9Xf64cEpP4AEcWQuuaeOizIf4aXFjXB32JC+Dgo9XZS84p+whBJ
Yz5S9udBDf9hQmBinJwJy0XR5PJLFSAf6TwocgTFDQt5/6GNKVKkHCTIjURtRztu
j6x2sXQ6iItjUEqLkGpzFnmlogaLFgTmOJ+Zv2IgrvUyoAcEgC3TA9RveCXDQoPr
P29qWFLHYQyJs8A4hCtCFyHW4IXu1pAFsKCrcEJoM/sI0Hr+K6mg6fV4iP4IUnsw
0XgYuPzrpfeF9yECAwEAAaNCMEAwHQYDVR0OBBYEFCEHOnw0z/kWnJv1IffTbWLM
B/AAMB8GA1UdIwQYMBaAFDKxAqjS6RbEUSYdj3I5TIctJc62MA0GCSqGSIb3DQEB
CwUAA4IBAQBsfjFO/gqhuusdphkxtXxvZYXgUFRFZ8KeDoFd0nkM2JbefonpBGTS
RHkOWZSn3tRhcJHTaRmnmoXyLxo3rflH73B8fkmCL51ON7ZbusGO94ph2uobI4mP
DQGQsUo8TUP46DQrSxiwK1e6ENXqCJn2mo4MsuM6ooimdx+JmVd3NcFlV/Y0p7Nh
pw46Le9JREQjIW6XnLOeHBzzg3FKOCyUgAboaAwRUC69Qpm3NhZQtBnvWOALHnXp
zT+PaEpIrwNIhaB7EoqMFIOdPSP6xU9ToeXmasvFEKIVtdDwUtAfA6fWnc7ygpmB
leKuK5z6Z4Um+vNyMwryedON6nEhewXH
-----END CERTIFICATE-----
```
  - **Enable Single Logout**: Leave unchecked.
  - **Signed Requests:** check
  - **Authentication context class**: Choose **PasswordProtectedTransport**.
  - **Honor Force Authentication**: Choose **Yes**.
  - **SAML Issuer ID**: Leave blank.
  - No need to configure the attribute and group attribute statements ![](https://cdn.document360.io/a55e7ea5-b8ac-4456-874d-10cc92097370/Images/Documentation/image(188).png)
  - **Preview the SAML Assertion**: You can click to preview the SAML assertion.![](https://support.madkudu.com/hc/article_attachments/20645535950605)
6. Click **Next**.
7. This will take you to the Okta feedback page. Enter your feedback if desired and click **Next**.

## **2. Set up Okta in the HG Insights app**

Now that you have set up HG Insights in Okta, you will need to set up Okta in HG Insights for the two applications to create a trusted relationship with each other to allow communication.

You will need to provide HG Insights the Okta's Identity Provider URL automatically generated in Okta following these instructions.

**In Okta**

1. In Okta Console, go to **Applications**.
2. Click on the **HG Insights** app you have just created.
3. Click the **Sign On** tab.
  - Click **View Setup Instructions** to review Okta setup instructions to configure SAML 2.0 for HG Insights.
  - Keep this page open, you'll need to copy the URLs and certificate and paste them in HG Insights App. ![mceclip5.png](https://support.madkudu.com/hc/article_attachments/4403640159501)

**In HG Insights**

1. Open a new page to go to HG Insights App (app.madkudu.com),
2. Go to **Settings**
3. Click on the **Authentication** tab
4. Select **Okta** in the **Enforce SSO** picklist
5. Paste in the form the
  - **Identity Provider Single Sign-On URL**
  - **Identity Provider Issuer**
  - **X.509 Certificate**![mceclip0.png](https://support.madkudu.com/hc/article_attachments/4404640261901)
6. Click **Save**

Nice! Now HG Insights will be able to recognize your Okta account.

Now you need to assign users to the HG Insights app **both** in Okta **and** in HG Insights. Please follow both [**steps here**](/v1/docs/assign-okta-users-to-the-madkudu-app)

  

---

### FAQ

#### I am always redirected to Admin Login when clicking HG Insights in Okta’s applications page. Can’t I go to Copilot with the click?

It is expected that only admin users are able to connect to Admin login by clicking HG Insights in Okta’s applications.

For Copilot users, please connect to Copilot via [msi.madkudu.com](http://msi.madkudu.com) and every user is able to sign into Copilot with Okta.![](https://cdn.document360.io/a55e7ea5-b8ac-4456-874d-10cc92097370/Images/Documentation/CleanShot 2025-04-22 at 11.25.16@2x.png)