← Back to Cade

Sign in to Cade with Okta SSO

Last updated: May 4, 2026

Cade integrates with Okta via the Okta Integration Network (OIN) using OpenID Connect (OIDC). This guide walks an Okta administrator through installing the Cade application from the Okta App Catalog, configuring single sign-on for their organization, and enabling the connection on the Cade side.

By the end of this guide, your users will be able to sign in to Cade from their Okta dashboard or by visiting your tenant's sign-in URL directly.

Prerequisites

Before you begin, make sure you have:

• Administrator access to your Okta organization (Super Admin, App Admin, or equivalent)
• A Cade tenant slug — the URL-safe identifier for your organization in Cade (for example, acme). You can find this under Settings → Organization in Cade. If your organization is new to Cade, a tenant will be created automatically the first time someone signs in.
• A Cade administrator account if you want to manage tenant-level SSO settings (allowed email domains, default role, JIT provisioning) after the integration is installed
• The list of users (or Okta groups) that should have access to Cade

Supported Features

The Cade Okta integration supports the following Okta features:

• SP-initiated SSO (OIDC) — users start at Cade and are redirected to Okta to authenticate
• IdP-initiated SSO (OIDC) — users click the Cade tile in their Okta dashboard
• Just-In-Time (JIT) provisioning — Cade accounts are created automatically on first sign-in
• Multi-tenant routing — a single OIN listing serves all Cade customer tenants; the tenant slug entered during installation routes users to the correct organization

For more information on the listed features, see the Okta Glossary.

Configuration Steps

Configuration takes place in two places: your Okta Admin Console (Steps 1–3) and the Cade admin console (Step 4, optional for tenant-level overrides).

Step 1 — Install Cade from the Okta App Catalog

1. Sign in to your Okta Admin Console
2. Go to Applications → Browse App Catalog
3. Search for Cade
4. Click Add Integration
5. In the configuration wizard:
   • Application label — leave as "Cade" or rename to whatever your users will recognize
   • GetCade Tenant Slug — enter your tenant slug (the value from "Prerequisites", for example acme)
6. Click Done

Okta automatically configures the OIDC sign-in URLs using your tenant slug:

Field	Value (filled in automatically)
Sign-in redirect URI	https://app.getcade.ai/t/{your-slug}/auth/okta/callback
Initiate login URI	https://app.getcade.ai/t/{your-slug}/auth/okta/login

Step 2 — Assign users and groups

1. In your Okta Admin Console, open Applications → Cade
2. Click the Assignments tab
3. Click Assign → Assign to People (or Assign to Groups for bulk assignment)
4. Select the users or groups that should have access to Cade
5. Click Save and Go Back, then Done

Assigned users will see the Cade tile on their Okta dashboard and can also navigate directly to https://app.getcade.ai/t/{your-slug}/auth/okta/login.

Step 3 — Test sign-in

To verify the integration:

1. Open a private/incognito browser window
2. Sign in to Okta as one of the users you assigned in Step 2
3. From the Okta dashboard, click the Cade tile

You should be redirected through Okta and land in your Cade tenant, signed in as that user. The first sign-in for any user automatically creates their Cade account (Just-In-Time provisioning). The first user to sign in for a brand-new tenant becomes the tenant administrator; subsequent users default to the Analyst role.

Step 4 — Configure Cade-side settings (optional)

The Cade application is automatically provisioned when the first Okta-authenticated user signs in — no manual configuration is required for a default setup. You can adjust tenant-level SSO behavior from the Cade admin console:

1. Sign in to Cade at https://app.getcade.ai as a tenant administrator
2. Go to Settings → Identity Provider → Okta
3. Adjust any of the following:
   • Allowed email domains — restrict SSO sign-in to specific domains (for example, only @acme.com)
   • Default role — the role assigned to JIT-provisioned users (default: Analyst; can be set to Member or Admin)
   • JIT provisioning — enable or disable automatic account creation on first sign-in
4. Click Save

If you don't have access to the Cade admin console, contact Cade Support and we'll apply these settings on your behalf.

SP-initiated SSO

Cade fully supports SP-initiated sign-in. The flow works as follows:

1. The user navigates to https://app.getcade.ai/t/{your-slug}/auth/okta/login
2. Cade redirects the browser to your Okta authorization endpoint (/oauth2/v1/authorize) with PKCE, state, and nonce parameters
3. The user authenticates with Okta (single sign-on if a session already exists; sign-in prompt otherwise)
4. Okta redirects back to https://app.getcade.ai/t/{your-slug}/auth/okta/callback with an authorization code
5. Cade exchanges the code for an ID token, validates the issuer, audience, signature, and nonce, and issues a Cade session

To test SP-initiated sign-in, open a private/incognito window and visit https://app.getcade.ai/t/{your-slug}/auth/okta/login directly — Okta will prompt you to sign in if you don't already have an active session.

Troubleshooting

"We couldn't sign you in" or you land back on the Cade login page

• Confirm you're assigned to the Cade application in Okta (Step 2)
• Confirm your tenant slug in the Okta application configuration matches your actual Cade tenant slug
• Try signing out of Okta completely and signing in again

"Email domain not allowed"

• Your email address isn't in the allowed-domains list for your Cade tenant. Contact your Cade administrator or Cade Support.

"User not provisioned"

• Just-In-Time provisioning is disabled for your tenant and your account hasn't been created in Cade yet. Ask your Cade administrator to add you, or contact Cade Support.

The Cade tile in your Okta dashboard goes to "Access Forbidden"

• You're not assigned to the Cade application in Okta. Ask your Okta administrator to add you to the app's assignments.

Security and privacy

• Tokens — Cade validates Okta-issued ID tokens against the Okta JWKS endpoint and verifies the token's iss claim matches the issuer bound to your tenant. Tokens from any other Okta org cannot be used to sign in to your tenant.
• PKCE — Cade uses Proof Key for Code Exchange (PKCE) on all OIDC flows as defense-in-depth.
• State and nonce — Cade generates cryptographically random state and nonce values on every sign-in to prevent CSRF and replay attacks.
• No password storage — when SSO is enabled, Cade never sees or stores user passwords. Authentication is delegated entirely to Okta.
• Rate limiting — sign-in endpoints are rate-limited per IP to mitigate abuse.

Support

• Email: [email protected]
• Phone: +1 (206) 240-7106
• Web: getcade.ai

When contacting support about an SSO issue, include:

• Your Cade tenant slug
• Your Okta organization URL (e.g. https://acme.okta.com)
• The email address experiencing the issue
• A timestamp and screenshot of any error message