← Back to Cade

Sign in to Cade with Okta SSO

Last updated: May 1, 2026

Cade integrates with Okta via the Okta Integration Network (OIN) using OpenID Connect (OIDC). This guide walks an Okta administrator through installing the Cade application from the Okta App Catalog and configuring single sign-on for their organization.

By the end of this guide, your users will be able to sign in to Cade from their Okta dashboard or by visiting your tenant's sign-in URL directly.

Before you begin

You need:

• Administrator access to your Okta organization (Super Admin, App Admin, or equivalent)
• A Cade tenant slug — the URL-safe identifier for your organization in Cade (for example, acme). You can find this under Settings → Organization in Cade. If your organization is new to Cade, a tenant will be created automatically the first time someone signs in.
• The list of users (or Okta groups) that should have access to Cade

Step 1 — Install Cade from the Okta App Catalog

1. Sign in to your Okta Admin Console
2. Go to Applications → Browse App Catalog
3. Search for Cade
4. Click Add Integration
5. In the configuration wizard:
   • Application label — leave as "Cade" or rename to whatever your users will recognize
   • GetCade Tenant Slug — enter your tenant slug (the value from "Before you begin", for example acme)
6. Click Done

Okta automatically configures the OIDC sign-in URLs using your tenant slug:

Field	Value (filled in automatically)
Sign-in redirect URI	https://app.getcade.ai/t/{your-slug}/auth/okta/callback
Initiate login URI	https://app.getcade.ai/t/{your-slug}/auth/okta/login

Step 2 — Assign users and groups

1. In your Okta Admin Console, open Applications → Cade
2. Click the Assignments tab
3. Click Assign → Assign to People (or Assign to Groups for bulk assignment)
4. Select the users or groups that should have access to Cade
5. Click Save and Go Back, then Done

Assigned users will see the Cade tile on their Okta dashboard and can also navigate directly to https://app.getcade.ai/t/{your-slug}/auth/okta/login.

Step 3 — Test sign-in

To verify the integration:

1. Open a private/incognito browser window
2. Sign in to Okta as one of the users you assigned in Step 2
3. From the Okta dashboard, click the Cade tile

You should be redirected through Okta and land in your Cade tenant, signed in as that user. The first sign-in for any user automatically creates their Cade account (Just-In-Time provisioning). The first user to sign in for a brand-new tenant becomes the tenant administrator; subsequent users default to the Analyst role.

You can also test the SP-initiated flow by visiting https://app.getcade.ai/t/{your-slug}/auth/okta/login directly — Okta will prompt you to sign in if you don't already have an active session.

Optional configuration

Restrict sign-in by email domain

If you want to restrict SSO to specific email domains (for example, only allow @acme.com addresses), contact Cade Support — domain restrictions are managed on the Cade side per tenant.

Disable Just-In-Time provisioning

By default, any Okta user assigned to Cade can sign in and have a Cade account created automatically on first sign-in. To disable this and require Cade accounts to be pre-created, contact Cade Support.

Default role for new users

New users provisioned via SSO are assigned the Analyst role by default. To change the default role for your tenant (for example, to Member or Admin), contact Cade Support.

Troubleshooting

"We couldn't sign you in" or you land back on the Cade login page

• Confirm you're assigned to the Cade application in Okta (Step 2)
• Confirm your tenant slug in the Okta application configuration matches your actual Cade tenant slug
• Try signing out of Okta completely and signing in again

"Email domain not allowed"

• Your email address isn't in the allowed-domains list for your Cade tenant. Contact your Cade administrator or Cade Support.

"User not provisioned"

• Just-In-Time provisioning is disabled for your tenant and your account hasn't been created in Cade yet. Ask your Cade administrator to add you, or contact Cade Support.

The Cade tile in your Okta dashboard goes to "Access Forbidden"

• You're not assigned to the Cade application in Okta. Ask your Okta administrator to add you to the app's assignments.

Security and privacy

• Tokens — Cade validates Okta-issued ID tokens against the Okta JWKS endpoint and verifies the token's iss claim matches the issuer bound to your tenant. Tokens from any other Okta org cannot be used to sign in to your tenant.
• PKCE — Cade uses Proof Key for Code Exchange (PKCE) on all OIDC flows as defense-in-depth.
• State and nonce — Cade generates cryptographically random state and nonce values on every sign-in to prevent CSRF and replay attacks.
• No password storage — when SSO is enabled, Cade never sees or stores user passwords. Authentication is delegated entirely to Okta.
• Rate limiting — sign-in endpoints are rate-limited per IP to mitigate abuse.

Support

• Email: support@getcade.ai
• Phone: +1 (206) 240-7106
• Web: getcade.ai

When contacting support about an SSO issue, include:

• Your Cade tenant slug
• Your Okta organization URL (e.g. https://acme.okta.com)
• The email address experiencing the issue
• A timestamp and screenshot of any error message