Skip to main content
Empuls supports SAML 2.0-based Single Sign-On through Okta, enabling employees to authenticate using their corporate Okta credentials. Once configured, Okta controls who can access Empuls — users gain or lose access automatically based on their Okta assignments, and no passwords are stored in Empuls.

How it works

With SAML 2.0, Okta acts as the Identity Provider (IdP) and Empuls acts as the Service Provider (SP). The authentication sequence is:
  1. The user enters their email on the Empuls login page and clicks Proceed.
  2. Empuls redirects the user to Okta.
  3. Okta verifies the user’s credentials.
  4. Okta sends a signed SAML response back to Empuls.
  5. Empuls grants the user access.

Prerequisites

  • Admin access to the Okta Admin Console
  • Super Admin access to Empuls
  • Your Empuls tenant URL

Step A: Get Empuls SP metadata from Empuls

1

Open Empuls authentication settings

Log in to Empuls. Navigate to Reports & Settings → Admin Dashboard → User Authentication → Custom Login SAML 2.0 SSO.
2

Copy or download SP details

From the SAML 2.0 configuration page, copy the following values — you will enter them in Okta:
  • ACS URL (Assertion Consumer Service URL)
  • Entity ID (Audience URI)
  • Name ID format
Alternatively, click Download SP Metadata to save empuls-sp-metadata.xml. You can upload this file directly in Okta.

Step B: Create the Empuls app in Okta

1

Open Okta Admin Console

Log in to the Okta Admin Console. Go to Applications → Create App Integration.
2

Choose SAML 2.0

Select SAML 2.0 as the sign-in method and click Next.
3

Name the application

Enter Empuls as the app name and click Next.
4

Configure SAML settings

In the SAML Settings screen, enter the following:
Okta fieldValue
Single Sign-On URLEmpuls ACS URL
Audience URI (Entity ID)Empuls Entity ID
Name ID FormatEmailAddress
Name ID ValueEmail or Employee ID (must match user records in Empuls)
5

Save the application

Click Next, review your settings, and click Finish to save the application.

Step C: Assign users in Okta

1

Open the Empuls app in Okta

From the Applications list, click on the Empuls app you just created.
2

Assign users or groups

Go to the Assignments tab. Assign individual Users or Groups who should be able to log in to Empuls via SSO. Only assigned users can authenticate through Okta SSO.

Step D: Export Okta metadata and upload to Empuls

1

Download Okta IdP metadata

In the Okta Admin Console, go to Applications → Empuls → Sign On tab. Click View SAML setup instructions and download the IdP Metadata XML file.
2

Upload to Empuls

Return to Empuls. Go to User Authentication → SAML 2.0 (at /home/integrations/saml_sso). In the Identity Provider metadata section, upload the Okta IdP metadata XML file.
3

Save

Save your changes in Empuls.

Step E: Test the connection

1

Click Test Connection

On the Empuls SAML 2.0 page, click Test Connection. A pop-up window opens.
2

Sign in with Okta

You are redirected to Okta. Log in with your Okta credentials.
3

Confirm success

If the connection is working, you are redirected back to Empuls with a success confirmation. SSO is now active.
If the test pop-up does not open, your browser is likely blocking pop-ups. Allow pop-ups for your Empuls domain and retry the test.

Step F: Set Okta SSO as the default login method

To make Okta SSO the default for all users, go to Admin Dashboard → User Authentication → Custom Login Method → SAML 2.0 (Okta) and set it as the default login method.

Other SAML 2.0 providers

The same general process applies to other SAML 2.0-compatible identity providers. The key steps are always: obtain Empuls SP metadata → configure the IdP app → download IdP metadata → upload to Empuls → test the connection.

OneLogin

In OneLogin, create a SAML Test Connector (Advanced) application. In the Configuration tab, enter the Empuls ACS URL and Entity ID (or upload empuls-sp-metadata.xml for auto-mapping). Set the NameID Format to Email or Unspecified with Employee ID. Download the OneLogin IdP metadata XML from Applications → Your App → SSO → Download Metadata and upload it to Empuls at /home/integrations/saml_sso. Click Test Connection to verify.

Ping Identity

In the PingOne console, go to Connections → Applications and add a new Web App with SAML as the connection type. Name the app Empuls. Either upload empuls-sp-metadata.xml (recommended) or manually enter the ACS URL and Entity ID. In Attribute Mapping, map SAML_SUBJECT to the user’s Email Address. Toggle the app to ON to enable access. Download the IdP Metadata XML from the Configuration tab and upload it to Empuls. Click Test Connection to verify.

Troubleshooting

  • Confirm the Name ID in Okta is set to Email or Employee ID.
  • Verify the ACS URL and Entity ID in Okta exactly match the values from Empuls — extra spaces or trailing slashes can cause failures.
  • If you recently updated your Okta configuration, re-download and re-upload the Okta IdP metadata in Empuls.
  • Confirm the user exists in Empuls (check Admin → Manage Employees).
  • Verify the email address or employee ID in the user’s Okta profile exactly matches their record in Empuls.
Allow pop-ups for your Empuls domain in your browser settings and retry.
Contact cs@xoxoday.com to enable multiple custom SSO providers for your organization.