Mark AI supports Single Sign-On (SSO) via the SAML 2.0 protocol. SSO (single sign-on) allows your team members to sign in to Mark AI using your corporate identity provider credentials, without creating a separate password.
Mark AI offers a pre-built integration with Okta. For any other SAML 2.0 identity provider (Microsoft Entra ID / Azure AD, Google Workspace, OneLogin, etc.), a generic option is available.
Single Sign-On is available as an option on the Enterprise plan only.
Step 1: Choose your identity provider
On the Settings > Single Sign On page (direct link):
Click the Okta tile if it is your identity provider (IdP), otherwise click "Other".
The steps differ with Okta because Mark AI is part of the Okta Integration Network (OIN). SSO can be set up with any other identity provider (Microsoft Entra ID, Google Workspace, OneLogin, etc.).
In the Email domain name field, enter your company's primary domain (for example company.com).
If your company uses multiple email domains, enter the additional domains in the Additional domains field, separated by commas. For example, if your team members use both company.com and company.co, enter company.co in this field. All listed domains are linked to the same SSO connection and subject to the same enforcement rules.
You can now proceed to step 2.
Step 2: Configure your identity provider
This step varies depending on your provider and your configuration method. Follow the sub-section that matches your situation:
Section 2A: you use Okta and want to install the pre-built integration from the OIN catalog (recommended).
Section 2B: you use Okta but prefer to create a custom SAML application.
Section 2C: you use another SAML 2.0 identity provider (Microsoft Entra ID, Google Workspace, OneLogin, etc.).
2A: Okta with the Mark AI OIN catalog integration (recommended)
This is the simplest path. The Mark AI application is published in the Okta Integration Network (OIN) catalog: most SAML settings are already pre-filled. You do not need to manually copy technical values (URLs, identifiers).
On the Mark AI platform:
At step 2, Mark AI displays a tutorial card titled "Set up Mark AI in Okta". This card contains a direct link to the Okta catalog: https://www.okta.com/integrations/mark-ai/.
Click "Open Mark AI in the Okta catalog" to open the integration page in a new tab.
In Okta:
On the Mark AI integration page in the OIN catalog, click Add Integration. The application is added to your Okta organization.
Once the application is named, click the Assignments tab of the Mark AI application.
Assign all users or groups who should be able to access Mark AI. This step is essential: any unassigned user will receive an error when attempting to sign in via SSO.
2. Open the Sign On tab of the application. Copy the Identity Provider metadata URL: you will need it in step 3.
➡️ Proceed to step 3 to finalize the configuration with the Mark AI application.
2B: Okta without the OIN integration (custom SAML application)
If you cannot use the OIN catalog application, or if you prefer to create a custom SAML application in Okta, follow this sub-section. In this case, you will need to manually copy the configuration values from Mark AI into Okta.
In Okta:
Go to Applications → Create App Integration.
Select SAML 2.0 as the sign-on method, then proceed to the general settings screen. Give the application a name (for example "Mark AI").
Once the application is named, proceed to step 2 "Configure SAML".
Enter the following fields with the exact values below:
1 | Single sign-on URL | |
2 | Audience URI | |
3 | Name ID format | EmailAddress |
4 | Application username |
4. Proceed to the next step, the Feedback step.
Check the box next to the first field "App type". You can then click "Finish".
The app integration is now created!
5. For your users to be able to sign in to Mark AI, you need to assign them (either one by one or by assigning an entire group). To do this, click the Assignments tab in the application that was just created.
6. Open the Sign On tab of the application. Copy the Identity Provider metadata URL: you will need it in step 3.
➡️ Proceed to step 3 to finalize the configuration with the Mark AI application.
2C: Any other SAML 2.0 identity provider
If you use Microsoft Entra ID (formerly Azure AD), Google Workspace, OneLogin or any other SAML 2.0-compatible identity provider, you can follow this sub-section.
In Mark AI:
At step 2 of the SSO connection, Mark AI displays the key Service Provider (SP) information to copy into your IdP's SAML configuration.
In your identity provider:
Create a new SAML application in your IdP's admin console.
Copy the values shown above into the corresponding fields of the SAML configuration. Field names vary between providers, but the common labels are indicated in parentheses above to help you match them.
Configure the attribute mapping. Map the following four attributes: id to the user identifier, email to the email address, firstName to the first name, and lastName to the last name. The exact source field names depend on your IdP.
Assign the users or groups who should access Mark AI.
Locate and copy the identity provider metadata URL (IdP metadata URL). Depending on your provider, it may be called "Federation Metadata URL", "SAML Metadata URL" or a similar label.
Back in Mark AI:
➡️ Proceed to step 3 to finalize the configuration with the Mark AI application.
Step 3: Connect your identity provider
This step is the same regardless of the path you followed (2A, 2B, or 2C).
Go back to your Mark AI account, at step 3 where we left off.
Paste the URL you retrieved earlier (step 2A, 2B, or 2C) into the single field.
The metadata URL is a link to an XML file that contains the full technical configuration of your identity provider (certificates, endpoints). It allows Mark AI to connect automatically.
For Okta, this URL can be found in the application's Sign On tab and looks like https://your-organization.okta.com/app/xxxxxxxx/sso/saml/metadata. For other providers, use the equivalent URL identified in section 2C.
Click Done. Mark AI validates the connection and saves the configuration.
The technical setup is now complete. All that remains is to activate the connection.
Activate the connection
Turn on the "Active connection" toggle. This makes SSO available for all users whose email address matches the configured domains.
At this stage, your team members can sign in via SSO, but password or Google sign-in also remains available. Activation alone does not block any existing sign-in method.
(Optional) Force users to sign in via SSO
If you want all users on your company account to sign in exclusively via SSO, you can enable forced enforcement.
Turn on the "Force users to sign in via Single Sign On" toggle. A confirmation dialog opens.
In this dialog, set a grace period in days. This grace period gives your existing team members time to adjust. The default value is 14 days.
Click Apply to confirm.
What happens once sign-in is forced?
New users: will be immediately signed in via Single Sign-On. If it fails, sign-up cannot be completed through another method.
Existing users: keep their current sign-in method until the end of the configured grace period. Several reminder emails are sent automatically during this period to notify them. At the end of the grace period, users who have not re-signed in via SSO will be signed out and will need to sign back in exclusively via SSO.
Troubleshooting
"Cannot find Service Provider's certificate" error (400 error in Okta)
This error typically occurs when using a custom SAML application in Okta (section 2B). The most common cause is enabling the option that requires signed authentication requests. To resolve the issue, open your Okta application's SAML settings and verify that you have not checked the "Require signed authentication requests" option. Keep the default signature settings. Also verify that the ACS URL and Entity ID values exactly match those specified in section 2B. This error should not occur if you use the OIN integration (section 2A).
"You're not assigned to this app" error or sign-in blocked in Okta
The user attempting to sign in is not assigned to the Mark AI application in Okta. Go to the Assignments tab of the application in the Okta console and add the user or group concerned.
SSO is not triggering for some users
The email domain of those users is probably not linked to the SSO connection. Check the domain of their email address and, if needed, add it as an additional domain during setup (step 1).
Unable to turn on the "Force users to sign in via SSO" toggle
The connection must first be in "Active" status. Turn on the "Active connection" toggle before you can force SSO.