Organization Settings
      Back to home
      1. Pluto Knowledge Base
      2. Getting Started
      3. Organization Settings

      Configuring Single Sign-On (SSO) with the Okta Integration for Pluto Bio (updated)

      Configuring Okta with Pluto Bio for SSO

      Introduction

      Pluto supports SAML 2.0-based Single Sign-On (SSO), allowing users to log in through an organization’s Okta Identity Provider (IdP)​. This means you can use your company’s internal Okta credentials to access Pluto, rather than separate Pluto-specific passwords. Once the integration is configured, users will be required to sign in via Okta, enabling your organization to enforce its own security policies (password complexity, multi-factor authentication, etc.) for Pluto access. Okta will serve as the IdP in this setup ,providing several benefits:

      • Centralized Authentication: Users authenticate with the same Okta credentials they use for other enterprise apps, simplifying login management.
      • Enhanced Security: Your existing IT policies (MFA, password rotation, IP restrictions, etc.) automatically apply to Pluto logins​.
      • Streamlined User Management: Access to Pluto can be managed via Okta—when a user is added or removed in Okta, their Pluto access follows accordingly, reducing administrative overhead.

      In the sections below, we’ll walk through configuring the Okta integration for Pluto and enabling SSO for all Pluto users. Screenshots are included to illustrate the process step-by-step.

      Prerequisites

      Before Configuring Single Sign-On (SSO) for Pluto Bio with Okta, please ensure you have the following:

      • Okta Administrator Access: You will need administrator privileges within your Okta organization to create and configure applications.
      • Active Pluto Bio Account: Your Pluto Bio account should be fully set-up and accessible.
      • Pluto Bio Administrator Access: You must have administrator-level access within your organization’s Pluto Bio account.
      • Pluto Bio Org Slug: You will need your organization’s “org_slug” from Pluto Bio.This is found in the user dropdown menu within the app.pluto.bio application (top right corner).
      • Contact with Pluto Support: The configuration flow requires a handoff with Pluto Support for the Okta metadata.

       

      Having these prerequisites in place will ensure a smooth and efficient configuration process for setting up SSO with Okta.

      Supported Features

      The Pluto Bio Okta Integration supports the following features:

      • Single Sign-On (SSO) via SAML 2.0: Enables users to securely access Pluto Bio using their existing Okta credentials, eliminating the need for separate passwords.
      • Just-In-Time (JIT) Provisioning: When a user logs into Pluto Bio via Okta for the first time, a Pluto Bio account is automatically created for them. This streamlines user onboarding.
      • IdP-Initiated and SP-Initiated SSO: Supports both Identity Provider (IdP) initiated SSO (launching Pluto Bio from the Okta dashboard) and Service Provider (SP) initiated SSO (starting at the Pluto Bio login page and being redirected to Okta).

       

      This integration is designed to provide a seamless and secure login experience while simplifying user management for your organization.

      Step-by-Step Configuration in Okta

      To integrate Pluto with Okta via SAML, you will create a SAML 2.0 application in your Okta Admin Console and input Pluto’s SSO details. Follow these steps:

      1. Browse the Okta Application Catalog for Pluto Bioinformatics: Log in to your Okta Admin Console, and navigate to the Applications section. Search for Pluto Bioinformatics, select the integration, then click “Add Integration”
      2. Set the Default Relay State: The Default Relay State should be set to your org_slug. The  org_slug is is found on the user dropdown within app.pluto.bio (top right corner). See an example `okta-oin-app` org_slug.



      4. Accept (or modify) the General Settings: These determine the visibility to end-users within the Okta organization.

      At this point, the Okta side configuration is done. You have created a SAML 2.0 app in Okta with Pluto’s ACS URL, Entity ID, and attribute mappings. The next steps will be to provide Okta’s SAML metadata to Pluto and then verify the SSO connection.

      Download and Send Metadata to Pluto

      Now that your Okta SAML app is configured, you need to retrieve the Identity Provider (IdP) metadata from Okta and send it to Pluto for the integration to be completed. This metadata contains information Pluto needs (like Okta’s SSO URL, certificate, and entity ID) to trust Okta as an IdP.

      • Download Okta metadata: In your Okta app’s settings, navigate to the Sign On tab for the Pluto SAML application. Here, look for a section or link for Identity Provider metadata. Okta provides a metadata URL or a downloadable metadata XML file for the IdP configuration​. Click the Identity Provider metadata link to download the metadata.xml file (or copy the metadata URL, if provided). This XML file contains Okta’s SAML configuration (issuer, certificate, endpoints) that Pluto will use to set up the trust. Save this file to your computer. (If you have trouble finding the metadata link, ensure your Okta app is saved. On the Sign On tab, you should see an “Identity Provider metadata” link or button – clicking it will either download an XML file or display the XML which you can save.)

         Okta “Sign On” settings for the SAML app – On the Sign On tab of your Okta application, you’ll find the link to Identity Provider metadata (as highlighted above). Clicking this will allow you to download the metadata XML file containing your Okta IdP details. This file (often named metadata.xml) includes the information Pluto needs to finalize the SSO setup.




      • Send metadata to Pluto: Once you have the Okta metadata file (or a URL to it), send it to the Pluto team. Pluto may have provided a form or a secure method for you to upload the SAML metadata​. Typically, your Pluto representative will send you a configuration form where you can attach the metadata XML or paste the metadata URL​. Fill out that form and submit it so that Pluto receives your Okta IdP metadata. (If you haven’t received a form, contact support@pluto.bio or your Pluto representative for instructions on how to send the SAML metadata.)

      • Pluto enables SAML for testing: After you send the metadata to Pluto, the Pluto support team will enable SAML SSO on Pluto’s side for your account, initially for the admin user only​. This means Pluto will configure the trust with Okta using your metadata and turn on SSO, but restrict it to just the organization’s admin account at first to test the integration. You will be notified once this is done, so you can proceed with verification.

      Note: For the initial SSO test, ensure that the Pluto admin user’s account exists in Okta and is assigned to the Pluto SAML application. In Okta, go to the Assignments tab for your Pluto app and verify that the admin’s Okta user is assigned (or that the app is set to auto-assign via group membership). If the admin user is not assigned in Okta, they will not be able to log in via SAML during testing. (Generally, you should assign all intended Pluto users to this Okta app now, or confirm that the app is set for all users in the organization, to avoid login issues later.)​

      Verification and Enforcing SAML for All Users

      With SAML enabled for the Pluto admin account, it’s time to verify that everything works, then roll it out to everyone.

      • Verify SSO Login (Admin user): Pluto will provide your organization’s admin user with instructions to test the SSO login​. This usually involves the admin attempting to log in to Pluto via the SSO route. For example, the admin can go to the Pluto login URL specifically for SSO (which is usually https://app.pluto.bio/login/<your-org-slug> as noted in Pluto’s documentation​) – this will redirect to Okta for authentication. Upon entering their Okta credentials, the admin should be logged into Pluto. Alternatively, the admin can initiate the login from the Okta side by clicking the Pluto Bio app icon in their Okta dashboard (IdP-initiated SSO). Test both ways if possible, to ensure the integration is working. During this verification phase, Pluto support is checking that the SAML response from Okta is being accepted and that the user can successfully access their Pluto Lab Space via SSO.

      • Ensure all users are ready: While testing, make sure that all users who need access to Pluto are set up in Okta and assigned to the Pluto SAML application. Any user not in Okta or not assigned to the app will not be able to log in once SAML is enforced. It’s a good idea to double-check the Okta Assignments for the Pluto app and add any missing users or groups. Additionally, Pluto will inform you of any existing Pluto users (by email domain) who had signed up with a password previously; those users will be switched to SSO after enforcement​. If someone had an individual Pluto account using their company email, they will need to use Okta SSO going forward, and Pluto can help merge or transition those accounts as needed.

      • Enforce SAML for all users: After the admin confirms that SSO login works correctly for their account (and any initial issues are resolved), Pluto support will enable SAML SSO for all users in your organization​. This is the final step where SSO becomes mandatory for your Pluto organization. Once enforced, all login attempts for your organization’s Pluto workspace will redirect to Okta. Users navigating to Pluto’s login page will be prompted to use SSO, and upon entering their email (or choosing the organization), they’ll be sent to Okta to authenticate, then returned to Pluto upon success​. From this point on, standard email/password logins are disabled for your organization – everyone must use the Okta SSO. Ensure your team is informed of this change. Users should bookmark your Pluto login link or know to start from the Okta portal for access.

      • Testing and confirmation: It’s recommended to do a few more tests once SAML is enforced for all. Have a couple of regular users (not just admin) try to log in via Okta SSO to confirm everything is smooth. If any user has trouble, verify their Okta account is properly assigned and that they’re using the correct login URL.

      Once SAML is enforced and working for all, your Pluto SSO integration with Okta is complete. Your users can now enjoy a seamless login experience using Okta, and you benefit from centralized control over access.

      SP-initiated SSO

      1. Go to https://app.pluto.bio/login/<your-org-slug>
      2. Click SSO button

      Notes

      The following SAML attributes are supported:

      • email: okta(user.email)
      • first name: okta(user.firstName)
      • last name: okta(user.lastName)

      Troubleshooting

      Setting up SAML SSO can be complex, but here are some common tips and issues to watch out for:

      • User Not Assigned in Okta: If a user tries to log in and gets an Okta error like “App not assigned” or is not redirected at all, it often means they are not assigned to the Pluto application in Okta. Ensure every Pluto user is either individually assigned to the app or part of an Okta group that is assigned. During testing, this is a common issue for the admin account​ – so always verify assignments.

      • Okta Groups (Optional): Pluto doesn’t explicitly require group information via SAML. However, you might use Okta groups to manage who is assigned to the Pluto app. All that matters for Pluto SSO is that the users are assigned and the required attributes are sent. If you do need to send group or role info in SAML (for advanced team provisioning), you’d coordinate that with Pluto separately (not covered in this basic setup).

      • Testing IdP-Initiated vs SP-Initiated SSO: Okta supports both flows. IdP-initiated means a user can launch Pluto from the Okta dashboard (after logging into Okta, clicking the Pluto app icon will log them in to Pluto). SP-initiated means a user can go to Pluto (e.g., Pluto login page) and be redirected to Okta. Both should work with this configuration. If one method isn’t working, focus on the error message. For example, if IdP-initiated login from Okta fails, ensure the Audience URI (Entity ID) is correct and that Pluto has that exact Entity ID on file. If SP-initiated login fails to redirect properly, ensure you’re using the correct Pluto login URL format for SSO (which includes your organization slug).

      • Still having issues? If you’ve double-checked the configuration and users still cannot log in, collect some information to help diagnose the problem. In Okta, check the System Log for any SAML-related errors when a login is attempted. Common errors will often tell you what’s wrong (e.g., “Unknown User”, “Invalid Response Signature”, etc.). Similarly, Pluto may provide an error message on the login screen if something is misconfigured. Most issues come down to metadata mismatches (certificate or Entity ID), incorrect credentials, or user assignment problems. Don’t hesitate to reach out to Pluto Support for help – you can email support@pluto.bio or visit the Pluto Bio Help Center​. Provide them with the details of the error and they can assist in troubleshooting the SAML setup.