Articles on: What's new

Setting Up Okta SAML SSO for AfterShip

Plans: Enterprise Platforms: All platforms


Overview


This guide will walk you through how to set up SAML-based Single Sign-On (SSO) between Okta and AfterShip. Because some configuration values are unique to your organization, you’ll need to gather specific details from the Okta Admin Dashboard and coordinate with AfterShip Support. Once enabled, merchants can log in securely through Okta, with optional features like Just-In-Time user provisioning and Domain-enforced SSO


Prerequisites


Before you start, ensure you have the right values for your organization. Some of the required values are unique to your Okta setup, so you’ll need to create the AfterShip Integration in the Okta Admin Dashboard to view the values specific to your organization.


AfterShip single sign-on (SSO) is available only for Enterprise plan customers.


Supported features


The Okta and AfterShip SAML integration currently supports:


  • SP-initiated SSO (starting from AfterShip)
  • IdP-initiated SSO (starting from Okta)
  • Just-In-Time (JIT) user provisioning


You can learn more about these features in the Okta Glossary.


Configuration steps


  1. Reach out to AfterShip Support


  1. Receive your <CustomerName> value
  • AfterShip Support will give you an assigned <CustomerName>. This value appears in your SAML endpoint URL and is required during setup.


  1. Add the AfterShip SAML app in Okta
  • When creating the integration in Okta, enter the <CustomerName> provided to you.


Refer to the detailed steps in the ‘Adding the AfterShip Integration in Okta’ section below.


  1. Share your Identity Provider Metadata URL
  • Send the metadata URL to AfterShip Support so they can complete the configuration.
  • You’ll find it in Okta under the Sign On tab > Sign on methods > SAML 2.0 > Metadata details > Metadata URL.





  1. Wait for confirmation
  • AfterShip Support will notify you when everything is configured and ready for testing.


Adding the AfterShip Integration in Okta


  1. Sign in to the Okta Admin Console.
  2. Navigate to Applications > Browser App Integration Catalog from the Admin Console.
  3. Search for AfterShip.



  1. Click + Add Integration.




  1. In General Settings, enter the Customer Name





  1. Click Done


Notes


Supported SAML attribute


Name

Value

firstName

user.firstName

lastName

user.lastName

email

user.email


Enforcing SSO by Domain


If you want all users with the same email domain to authenticate only through SAML SSO (disabling password login), contact AfterShip Support to enable this setting.


Domain-enforced SSO makes sure everyone in your company signs in using your organization’s identity provider. This keeps access under one secure system and helps maintain strong, compliant security across all users.


Just-In-Time Provisioning


If you’d like new SSO users to be created automatically in your AfterShip organization during their first login, ask Support to enable JIT provisioning.


  • New users will be added with a default role that you choose during setup.
  • More advanced role mapping based on IdP profiles is not yet supported.


SP-Initiated SSO


To start an SP-initiated SSO flow, simply visit the provided AfterShip SSO URL. You’ll be redirected to Okta to sign in.


https://admin.aftership.com/?idp_hint=<CustomerName>



Need help?


Please reach out to the AfterShip Support team via live chat in case you have any questions or require further clarification.


Updated on: 11/12/2025