Skip to main content

Setting Up Okta SAML SSO for AfterShip

Setting Up Okta SAML SSO for AfterShip: follow setup steps, configure key options, verify behavior, and troubleshoot workflow issues, and avoid setup errors.

Plans:

Enterprise

Platforms:

All platforms

Overview

This guide will walk you through how to set up SAML-based Single Sign-On (SSO) between Okta and AfterShip. Because some configuration values are unique to your organization, you’ll need to gather specific details from the Okta Admin Dashboard and coordinate with AfterShip Support. Once enabled, merchants can log in securely through Okta, with optional features like Just-In-Time user provisioning and Domain-enforced SSO.

Prerequisites

Before you start, ensure you have the right values for your organization. Some of the required values are unique to your Okta setup, so you’ll need to create the AfterShip Integration in the Okta Admin Dashboard to view the values specific to your organization.

⚠️

AfterShip single sign-on (SSO) is available only for Enterprise plan customers.

Supported features

The Okta and AfterShip SAML integration currently supports:

  • SP-initiated SSO (starting from AfterShip)

  • IdP-initiated SSO (starting from Okta)

  • Just-In-Time (JIT) user provisioning

You can learn more about these features in the __Okta Glossary__.

Configuration steps

  1. Reach out to AfterShip Support

  1. Receive your value

  • AfterShip Support will give you an assigned . This value appears in your SAML endpoint URL and is required during setup.

  1. Add the AfterShip SAML app in Okta

  • When creating the integration in Okta, enter the provided to you.

⚠️

Refer to the detailed steps in the ‘Adding the AfterShip Integration in Okta’ section below.

  1. Share your Identity Provider Metadata URL

  • Send the metadata URL to AfterShip Support so they can complete the configuration.

  • You’ll find it in Okta under the Sign On tab > Sign on methods > SAML 2.0 > Metadata details > Metadata URL.

  1. Wait for confirmation

  • AfterShip Support will notify you when everything is configured and ready for testing.

Adding the AfterShip Integration in Okta

  1. Sign in to the __Okta Admin Console__.

  2. Navigate to Applications > Browser App Integration Catalog from the Admin Console.

  3. Search for AfterShip.

  1. Click + Add Integration.

  1. In General Settings, enter the Customer Name.

  1. Click Done

Notes

Supported SAML attribute

Name | Value | firstName | user.firstName | lastName | user.lastName | email | user.email |

Enforcing SSO by Domain

If you want all users with the same email domain to authenticate only through SAML SSO (disabling password login), contact AfterShip Support to enable this setting.

ℹ️

Domain-enforced SSO makes sure everyone in your company signs in using your organization’s identity provider. This keeps access under one secure system and helps maintain strong, compliant security across all users.

Just-In-Time Provisioning

If you’d like new SSO users to be created automatically in your AfterShip organization during their first login, ask Support to enable JIT provisioning.

  • New users will be added with a default role that you choose during setup.

  • More advanced role mapping based on IdP profiles is not yet supported.

SP-Initiated SSO

To start an SP-initiated SSO flow, simply visit the provided AfterShip SSO URL. You’ll be redirected to Okta to sign in.

https://admin.aftership.com/?idp_hint=<CustomerName>

Need help?

Please reach out to the AfterShip Support team via live chat in case you have any questions or require further clarification.

Related Articles
How to Set up SSO (Single Sign-On)
How to Set Up SSO (Single Sign-On)
How to Set up SSO (Single Sign-On)
Create an AfterShip Account
How to Set up SSO (Single Sign-On)
Did this answer your question?