Announcing Chalk Compute!
Chalk home page
  1. Security
  2. Okta SAML

Chalk is capable of using standard SSO providers like Google and GitHub for SSO authentication. For companies that use Okta, additional configuration is required.

Supported Features

  • IDP-initiated Single Sign-On, initiated via Okta
  • SP-initiated Single Sign-On, initiated from Chalk
  • Push group and user provisioning via SCIM, initiated from Okta

For detailted information about Chalk’s Authentication capabilities, refer to the main page for SSO and SAML

Customers with Self-Hosted Web Dashboards

For customers whose self-hosted deployments include a full API server and frontend deployment via helm, this page is only part of the setup needed to configure SAML. After completing this guide, please refer to the Cloud Auth documentation to complete setup.

If your chalk web dashboard is not https://chalk.ai, check your team’s dashboard for the correct values. These can be found under Settings > Single-Sign On:

  • Single Sign On URL: Should start with your custom URL and not chalk.ai, but retain the same URL path
  • Audience URI: This should start with your custom URL and not chalk.ai
  • Chalk’s SAML Certificate is regenerated for each custom web dashboard - if your team did not generate this themselves, contact Chalk for support

Setup Steps

All details and controls can be found on your team’s Single Sign-On Page, found under the settings section of your team’s dashboard.

Set Up an Okta SAML Application

  1. Navigate to your Okta admin dashboard
  2. Choose “Create App Integration”
    • Choose “SAML 2.0” for “Sign-in Method”
    • Choose “Web Application” for “Application type”
  3. General Settings
    • Name this application (“Chalk”, for example)
    • Upload the Chalk logo (download here).
  4. Configure SAML
    • Single sign on URL: https://chalk.ai/api/auth/login/saml
    • Make sure that “Use this for the Recipient URL and Destination URL” is checked
    • Audience URI: https://chalk.ai/api/saml/metadata.xml
    • Default RelayState: Leave blank
    • Name ID Format: Unspecified
    • Application username: Email
    • Update application username: Create and update
    • Show advanced settings
    • Change “Assertion Encryption” to Encrypted
    • Upload Chalk’s SAML certificate (download here)
    • Attribute Statements
      • given_name
        • Name format: unspecified
        • Value: user.firstName
      • last_name
        • Name format: unspecified
        • Value: user.lastName
  5. Feedback
    • Check “I’m an Okta customer adding an internal app”
  6. Click “View SAML Setup Instructions”. Record the following for the next step:
    • Identity Provider Single Sign-On URL
    • Identity Provider Issuer
    • X.509 certificate

Connect Chalk to your SAML Application

You can connect your Okta application with Chalk from Settings > Single-Sign On page. At the top of the page, there is a button to add new applications. To integrate your SAML application with Chalk, submit the following details from the previous page:

  • Issuer
  • Login URL: This is the okta Single Sign-On URL
  • Logout URL: This is also the Single Sign-On URL
  • Signing Certificate

SAML Chalk Setup Details

Next Steps

After verifying that you can log in to Chalk from your Okta Application, you can: