Once configured, users can sign in to Kadence using their Okta credentials—without needing a separate password.
Kadence Login Domain
Your Kadence environment uses a regional login domain. Throughout this guide, replace {KADENCE_LOGIN_DOMAIN} with the domain for your region:
Region | Login Domain |
EU | |
US |
Prerequisites
Before setting up Okta SSO, make sure that:
You have an active Okta licence
You are a Global Admin in Kadence
You have access to an Okta Admin account, or support from your Okta administrator
At least one test user exists in Okta
To log in via Okta SSO, users must have a Kadence account with the same email address as their Okta user account.
For testing we recommend using a private/incognito browser window to avoid existing Okta sessions interfering.
Supported Features
The Kadence–Okta integration supports:
IdP-initiated SSO (users start in Okta)
SP-initiated SSO (users start on the Kadence login page)
Setup Options
There are two ways to integrate Okta with Kadence:
Option A — Okta App Catalog (EU only): Use the pre-built Kadence integration available in the Okta App Catalog. Not supported for US tenants.
Option B — Custom Okta Application (OIDC) (Recommended): Manually create an OIDC app in Okta. Works for both EU and US tenants. Estimated setup time: 5–10 minutes.
Option A — Okta App Catalog Setup (EU Only)
The Okta App Catalog integration is only supported for EU tenants. If you are on a US tenant, use Option B — Custom Okta Application (OIDC) instead.
Step 1: Add Kadence to Okta
Log in to your Okta Admin Console
Navigate to Applications → Applications
Click Browse App Catalog
Search for Kadence and select it
Click Add integration
Configure the application
Enter a Kadence SSO Alias
Use lowercase letters and numbers only
Example: Company name "Bellyard Coffee" →
bellyardorbellyardcoffee
Optionally edit the application label
Click Done
Keep a note of your SSO alias — you'll need it later.
Step 2: Find Your Okta Client ID, Secret & Base URL
You'll now collect the details required to complete setup in Kadence.
While logged in to Okta, copy your Okta base URL
Go to Applications → Applications
Select your Kadence application
Open the Sign On tab
Under Sign-on Methods → OpenID Connect, copy:
Client ID
Client Secret
Store these values temporarily in a plain-text editor (e.g. Notepad).
Step 3: Enforce Single Sign-On (Optional)
To fully enforce SSO and prevent users from bypassing Okta by setting or resetting passwords, we strongly recommend blocking specific automated Kadence emails before or during rollout.
If you do not wish to enforce SSO and want your users to be able to login without SSO, skip to Step 4.
Block "Welcome to Kadence" Emails
When users are provisioned, Kadence may send a welcome email prompting them to set a password. Blocking this ensures users only access Kadence via SSO.
Block or filter emails from: [email protected]
Filter by subject line: Welcome to Kadence
Do not block all emails from this address. Other critical notifications (such as check-in reminders and booking confirmations) are also sent from this domain.
Block Password Reset Emails (SSO Recommended)
If your organisation uses Single Sign-On, blocking password reset emails prevents users from bypassing SSO authentication.
Block or filter emails from: [email protected]
Filter by subject line: Reset your password
Do not block all emails from this address. Blocking only this subject ensures SSO remains enforced while preserving essential notifications.
When should I apply these blocks?
We recommend applying these email filters:
Before enabling SSO, or
Before syncing users into Kadence, especially via Directory Sync
This ensures users only authenticate using Okta from day one.
Step 4: Enable Okta SSO in Kadence
Now connect Okta and Kadence.
Log in to Kadence
Navigate to Settings → Integrations
Under Single Sign-On (SSO), select Okta
Click Set up single sign-on
Enter the following:
Client ID
Client Secret
Base URL (Okta sign-in URL)
Kadence SSO Alias
Click Add
If successful, you'll see a confirmation message at the top of the screen.
Step 5: Logging in with Okta SSO
Once Okta is integrated, users can log in by:
Navigating to Kadence
Clicking the Okta icon under the login form
Entering their email address
Authenticating via Okta
Being redirected back to Kadence
Option B — Custom Okta Application (OIDC) Setup (Recommended)
This is the recommended setup method and works for both EU and US tenants. It configures Okta as an Identity Provider (IdP) for Kadence using OpenID Connect (OIDC).
Step 1 — Create a Custom Okta Application
Log in to the Okta Admin Console
In the left navigation menu, go to Applications → Applications
Click Create App Integration
Select:
Sign-in method: OIDC – OpenID Connect
Application type: Web Application
Click Next
Step 2 — Configure the Okta Application
App Name
Enter a name for the application, for example: Kadence SSO
Grant Types
Under Grant type, enable:
Authorization Code
Refresh Token
Leave other settings as default.
Sign-in Redirect URL
Scroll to Login settings. In Sign-in redirect URLs, add:
{KADENCE_LOGIN_DOMAIN}/sso/authenticate
Examples:
Kadence uses a shared OAuth callback endpoint: /sso/authenticate — this is not the Kadence login page. If this URL is missing, Okta will return an error such as: redirect_url must be a Login redirect URL
Sign-out Redirect URL (Optional)
Under Sign-out redirect URLs, add: {KADENCE_LOGIN_DOMAIN}/logout
Step 3 — Choose How Users Access the Application
Scroll to the Assignments section to decide how users are allowed to access the application. There are two supported configurations.
Option 1 — Federation Broker Mode Enabled (Recommended)
This is the simplest and most common setup. Under Controlled access, select Allow everyone in your organization to access, and ensure the checkbox Enable immediate access with Federation Broker Mode is enabled.
With Federation Broker Mode enabled:
Okta acts only as the authentication provider
Users authenticate through Kadence
The Okta application does not require manual user assignment
After saving, open Applications → Kadence SSO → Assignments. You will see: "This app is implicitly assigned to users" — this is expected. Users can sign in as long as they exist in Okta and satisfy the Okta sign-on policy.
This option is recommended because it simplifies setup and scales better for large organisations.
Option 2 — Manual User Assignment
If you prefer to control exactly which users can access Kadence, you can disable Federation Broker Mode. To do this after creating the application:
Navigate to Applications → Applications and click your Kadence SSO application
Open General and click Edit
Locate Enable immediate access with Federation Broker Mode and disable the checkbox
Click Save
Okta warns that disabling Federation Broker Mode may impact performance at scale, as Okta must evaluate application assignments during login. Most organisations will not notice a difference.
Step 4 — Copy Okta Credentials
Inside the Okta application, open General and scroll to Client Credentials. Copy:
Client ID
Client Secret
You will also need your Okta Base URL (e.g. https://your-company.okta.com).
Use the base domain only. Do not include /oauth2/default.
⚠️ Remove -admin from your Okta URL. If your Okta admin console URL contains -admin (e.g. https://your-company-admin.okta.com), you must remove it. The correct Base URL to enter in Kadence is https://your-company.okta.com. Using the admin URL will cause authentication to fail.
Step 5 — Add the Okta Integration in Kadence
Log in to Kadence and navigate to Settings → Integrations → Single Sign-On. Select Okta and enter:
Field | Value |
Client ID | From Okta |
Client Secret | From Okta |
Base URL | Your Okta domain (e.g. |
Kadence SSO Alias | e.g. |
Click Add.
Step 6 — Kadence Login URL
Users start the login process from:
{KADENCE_LOGIN_DOMAIN}/en/login/sso
Kadence will then redirect users to Okta for authentication.
Step 7 — Test the Login
Open a private/incognito browser window and visit {KADENCE_LOGIN_DOMAIN}/en/login/sso.
Expected login flow:
User opens Kadence SSO login page
Kadence redirects user to Okta
User enters Okta credentials
Okta redirects back to Kadence
User is logged in
Step 8 — Add Users in Okta
Users must exist in Okta before they can authenticate. Navigate to Directory → People and click Add Person to create users.
Step 9 — Assign Users to the App (Only if Federation Broker Mode is Disabled)
If Federation Broker Mode is disabled, navigate to Applications → Applications → Kadence SSO → Assignments, then click Assign → Assign to People, select users, and click Save.
If you see "This app is implicitly assigned to users", manual assignment is not required — access is controlled through Okta sign-on policies.
Troubleshooting
Error Message | Cause | Solution |
| The OAuth redirect URL is missing or incorrect in the Okta app configuration. | Ensure the following redirect URI is added to the Okta application: |
| The incorrect Kadence login URL was used. | Start login from: |
| The user has not been assigned to the Okta application (when manual assignment is enabled). | Assign the user via: Applications → Kadence SSO → Assignments → Assign to People |
Cannot assign users / "This app is implicitly assigned to users" | Federation Broker Mode is enabled, which disables manual user assignment. | Either leave this enabled (recommended) or disable Enable immediate access with Federation Broker Mode in the Okta app settings if you want manual user assignment. |
User login loops back to login page | The Okta base URL was entered incorrectly in Kadence. | Ensure the base URL is your Okta domain only (e.g. |
Authentication fails / cannot connect to Okta | The Okta admin console URL was entered instead of the standard Okta domain. URLs containing | Remove |
Invalid client or authentication error | The Client ID or Client Secret entered in Kadence does not match the Okta app configuration. | Copy the Client ID and Client Secret directly from the Okta application's General tab and re-enter them in Kadence. |
Additional tips:
User email addresses in Okta and Kadence must match exactly
You cannot enable Okta SSO if another SSO provider (e.g. OneLogin) is already configured
The Kadence SSO alias must be globally unique — if your first choice is taken, update it in Okta and re-enter it in Kadence
Always test SSO using a private/incognito browser window to prevent existing sessions from interfering
FAQs
Can users still log in without Okta?
Can users still log in without Okta?
Once SSO is enforced, users must authenticate via Okta unless alternative login methods are allowed by your admin.
Can I manage or remove the Okta integration later?
Can I manage or remove the Okta integration later?
Yes, Global Admins can update or remove the SSO integration from Settings → Integrations at any time.
Does Kadence support both IdP and SP initiated login?
Does Kadence support both IdP and SP initiated login?
Yes, users can start from either Okta or the Kadence login page.
Which setup method should I use — App Catalog or Custom OIDC?
Which setup method should I use — App Catalog or Custom OIDC?
We recommend Option B — Custom Okta Application (OIDC) for all customers. It works for both EU and US tenants and gives you full control over the configuration. The Okta App Catalog integration (Option A) is only available for EU tenants and is not supported for US tenants.
Need Help?
For support, reach out to:
📩 [email protected]
For more helpful articles see:
📚 Kadence Help Center