Okta Integration


In order to configure Okta integration with Metro Retro you will need:
  • Admin access to your Metro Retro account.
  • Admin access to your Okta account.
  • One or more authorized domains adding to your Metro Retro account (see end of article).
  • A note of your organizations Metro Retro Account ID.

How to find your Metro Retro Account ID

Before you begin, you will need your organization's 12 character Metro Retro Account ID. You can find this in the under the management menu within Metro Retro: https://metroretro.io/manage​
Metro Retro Account ID

Integration Setup

From within the Okta dashboard, choose Applications and Create App Integration. Select SAML 2.0 and press Next. Set the name as Metro Retro and optionally add an icon. We have prepared an Okta compatible logo image here: https://s.metroretro.io/site/logo/okta.png​
General Settings
Click Next.
Under SAML Settings, set the Single Sign-On URL to https://metroretro.io/login/saml and set Audience URI (SP Entity ID) to Your Account ID (see start of document).
SAML Settings
Under Attribute Statements, add the following mappings:
  • firstName (basic) -> user.firstName
  • lastName (basic) -> user.lastName
  • email (basic) -> user.email
Attribute Statements
Click Next.
Choose "I'm an Okta customer adding an internal app". You may optionally fill in any other fields on this form that are appropriate for your organization, they are not required for the integration to work.
Click Finish.
You should see the screen below, if not, click View Setup Instructions. The three values on the setup screen need to be added to Metro Retro under Management / Single Sign-On.
Data for Metro Retro from Okta
Data added to Metro Retro
Once added, click Save Configuration. We recommend leaving the "Restrict login" setting off until you are sure all your team members are able to login via SSO otherwise it may block their access.
If you have not already had your authorized domains configured by a Metro Retro team member, please contact us on Intercom or at [email protected] to set these up. The domains must include all domains that your team will login from.