SSO Setup Guide
NoClick supports SAML 2.0 Single Sign-On (SSO) for enterprise organizations. This guide covers setup with popular identity providers including Okta, Azure AD, and others.Prerequisites
- A NoClick enterprise account
- Admin access to your identity provider (Okta, Azure AD, etc.)
- Your organization slug from NoClick
Supported Features
- SP-Initiated SSO - Users start login from NoClick and are redirected to your identity provider
- IdP-Initiated SSO - Users start login from your identity provider dashboard
- JIT (Just-In-Time) Provisioning - User accounts are automatically created in NoClick on first SSO login
Okta Setup
1
Add NoClick from App Catalog
- Sign in to your Okta instance as an administrator
- Navigate to Applications → Applications and click Browse App Catalog
- On the Browse App Integration Catalog page, search for and select NoClick
- Click Add Integration
2
Get Metadata URL
- Go to the Sign On tab of the NoClick application
- Copy the Metadata URL (looks like
https://your-domain.okta.com/app/.../sso/saml/metadata)
3
Configure NoClick
- Log in to NoClick as an organization admin
- Go to Settings → Organization → SSO
- Paste the Okta Metadata URL
- Click Save
4
Assign Users
- In Okta, go to your NoClick app → Assignments
- Assign users or groups who should have access
Supported Attributes
The NoClick OIN application is pre-configured to send the following attributes via SAML assertion:| Attribute Name | Value | Description |
|---|---|---|
email | user.email | User’s email address (required) |
first_name | user.firstName | User’s first name |
last_name | user.lastName | User’s last name |
Azure AD Setup
1
Create Enterprise Application
- Go to Azure Portal → Azure Active Directory
- Select Enterprise applications → New application
- Click Create your own application
- Name it “NoClick” and select Integrate any other application (Non-gallery)
2
Configure SAML
- Go to Single sign-on → Select SAML
- Edit Basic SAML Configuration:
| Field | Value |
|---|---|
| Identifier (Entity ID) | https://api.noclick.com/auth/v1/sso/saml/metadata |
| Reply URL (ACS URL) | https://api.noclick.com/auth/v1/sso/saml/acs |
| Relay State | https://noclick.com/auth/callback?next=/dashboard |
3
Configure Attributes
Edit Attributes & Claims:
| Claim name | Source attribute |
|---|---|
email | user.mail |
first_name | user.givenname |
last_name | user.surname |
4
Get Metadata URL
In the SAML Certificates section, copy the App Federation Metadata Url
5
Configure NoClick
- Log in to NoClick as an organization admin
- Go to Settings → Organization → SSO
- Paste the Azure AD Metadata URL
- Click Save
Other Identity Providers
For other SAML 2.0 compatible identity providers (OneLogin, Google Workspace, JumpCloud, etc.), use these values:| Setting | Value |
|---|---|
| ACS URL / Single Sign-On URL | https://api.noclick.com/auth/v1/sso/saml/acs |
| Entity ID / Audience | https://api.noclick.com/auth/v1/sso/saml/metadata |
| Name ID Format | urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress |
| Default RelayState | https://noclick.com/auth/callback?next=/dashboard |
Required Attributes
| Attribute | Description |
|---|---|
email | User’s email address (required) |
first_name | User’s first name (optional) |
last_name | User’s last name (optional) |
Testing SSO
SP-Initiated Login (Recommended)
- Go to noclick.com/auth/sso
- Enter your organization slug
- You’ll be redirected to your identity provider
- After authentication, you’ll return to NoClick
IdP-Initiated Login
- Log in to your identity provider dashboard
- Click the NoClick app tile
- You’ll be redirected directly to NoClick
IdP-initiated login requires the Default RelayState to be configured in your identity provider. Without it, you’ll see a “SAML RelayState is not a valid UUID or URL” error.
Troubleshooting
Error: SAML RelayState is not a valid UUID or URL
Error: SAML RelayState is not a valid UUID or URL
This occurs with IdP-initiated SSO when RelayState isn’t configured. Set the Default RelayState in your IdP to:
Error: User not added to organization
Error: User not added to organization
Users are automatically added to your organization when they first log in via SSO. Ensure:
- The user’s email domain matches your organization’s SSO domain
- The SSO provider is correctly linked to your organization
Error: Invalid callback URL
Error: Invalid callback URL
Verify the ACS URL in your IdP matches exactly:
Error: Audience mismatch
Error: Audience mismatch
Ensure the Entity ID / Audience URI matches: