How to Configure Single Sign-On for Teams

Validated on 27 Aug 2025 • Last edited on 28 Aug 2025

Enabling single sign-on (SSO) on your DigitalOcean team lets team members sign in to DigitalOcean with a single set of credentials from an OIDC-compatible identity provider (IdP), like Okta. You can also enforce SSO login and automatically apply roles from your IdP to enable role-based access control (RBAC).

Enable SSO on a DigitalOcean Team

To enable SSO for a team, you need to configure your OIDC-comptaible IdP, then provide the OpenID provider URL, client ID, and client secret to DigitalOcean.

Configure your IdP

Configuration depends on your IDP. We have instructions for the following IdPs:

Click to view instructions on configuring Okta as your IdP.

To configure Okta as your IdP, you need to create an app integration, then configure role mapping to translate Okta group membership into DigitalOcean roles. You can find more information on Okta as an IdP for OIDC apps.

We recommend naming Okta groups beginning with DO: followed by the DigitalOcean role name. For example, for the Owner role on DigitalOcean, the corresponding Okta group name is DO:Owner. The instructions here use this configuration.

Create an Okta App Integration

First, create an Okta App integration:

  1. From the Okta admin console, in the left menu, click to expand the Applications section, then click Applications within that section to go to the Applications page.

  2. At the top of the page, click the Create App Integration button to open the Create a new app integration window:

    • For the Sign-In method, choose OIDC - OpenID Connect.

    • For the Application type, choose Web Application.

  3. Click Next to go to the New Web App Integration page:

    • Set App integration name to a descriptive name.

    • Set Grant type to Authorization Code, which is the default.

    • Set Sign-in redirect URIs to https://cloud.digitalocean.com/sessions/sso/callback.

    • Delete the default localhost URI in Sign-out redirect URIs.

    • Under Assignments, set Controlled access to Skip group assignment for now.

  4. Click Save to create the app integration, which takes you to the app’s General tab.

  5. Click the Sign On tab. In the OpenID Connect ID Token section, click Edit, and change the following settings:

    • For Groups claim type, choose Expression

    • For Groups claim expression’s Claim name, enter team_role.

    • For Groups claim expression’s Input expression, enter the following expression:

      Arrays.flatten(String.replace(Arrays.toCsvString(Groups.startsWith("OKTA","DO:",100)),"DO:", ""))

      This expression removes the DO: substring from matching group names and passes what remains as the team_role. For more information, see How to Remove Substring from Group Names in OpenID Connect Claims.

  6. Click Save.

Configure Okta Groups with Role Mappings

Next, configure role mapping. To do this, create a group in Okta for each role (predefined or custom) that you use on your DigitalOcean team, then assign the application to each group.

Follow these steps for each role on your DigitalOcean team:

  1. From the Okta admin console, expand the Directory section of the left menu, then click Groups.

  2. Click the Add group button in the top right to open the Add group window.

    • For Name, enter a name for the group. For compatibility with the input expression in the next step, begin the group names with DO: followed by the DigitalOcean role name. For example, for the Owner role on DigitalOcean, use DO:Owner.

    • Optionally, enter a description for the group.

  3. Click Save to return to create the group and return to the main Groups page.

  4. Click the name of the new group in the list to go to its General page, then click the Applications tab.

  5. Click the Assign applications button in the top right to open the Assign Applications to window.

  6. Next to the application you created, click Assign, then click Done.

Repeat these steps to create a group for each role on your DigitalOcean team. This completes your Okta IdP configuration.

Get Okta Information

To configure SSO on DigitalOcean, you need three pieces of information:

  • The ClientID and Client Secret of your Okta app.

    From the Okta admin console, in the left menu, click to expand the Applications section, then click Applications within that section to go to the Applications page. Click the name of your app to go to its General tab which lists these values.

  • The OpenID provider URL. This is the URL of your application, like https://example-application.okta.com.

Once your IdP is configured, get the OpenID provider URL, client ID, and client secret to finish configuration on DigitalOcean in the next step.

Configure SSO on your DigitalOcean Team

Once your IdP is configured, you can enable SSO on your DigitalOcean team.

Switch to your team in the control panel. Click the profile icon in the top right to open the drop-down menu, click Switch Teams, then click the name of team you want to update. From the team settings page. In the Single sign-on (OIDC) section, click Enable to go to the Enable single sign-on page.

In the first step, Configure SSO, you need to provide three pieces of information:

  • The OpenID provider URL.

  • The OpenID client ID.

  • The OpenID client secret.

Once you enter these values, click Test SSO config to continue. This tests that your provider URL is a valid OIDC provider before taking you to the next configuration page.

Next, you can optionally enforce sign-in via SSO only. This prevents team members from signing in to DigitalOcean with other login methods, like an email and password.

Use the Enable sign-in via SSO only checkbox to make your selection, then click Continue. If you don’t enforce SSO now, you can choose to enforce it later on your team settings page.

Warning
Test your SSO login before enforcing sign-in via SSO. If SSO is misconfigured and enforced as the only sign-in method, you cannot log into your team, and need to contact support.

The final Summary page lists your SSO sign-in URL, which looks similar to https://cloud.digitalocean.com/sessions/sso/<id>. Use this URL to initiate an SSO login and to create an app card on your SSO provider dashboard.

Click to view instructions on creating an app card on Okta’s dashboard.

To create an app card on Okta’s dashbaord:

  1. From the General tab of your application settings, in the General Settings section, click Edit.

    • In the Login subsection, set Login initiated by to Either Okta or App.
    • Check the Display application icon to users checkbox.
    • Set Initiate login URI to your SSO sign-in URL.

  2. Click Save to finish.

Click Enable SSO to complete the SSO configuration.

Disable SSO on a DigitalOcean Team

To disable SSO on a team, switch to the team in the control panel. Click the profile icon in the top right to open the drop-down menu, click Switch Teams, then click the name of team you want to update.

Next, in the left menu of the control panel, click Settings to go to the team settings page. In the Single sign-on (OIDC) section, click the menu, then click Disable. In the Disable single sign-on confirmation window click Disable SSO to disable SSO on your team.

Your SSO configuration is saved even when disabled, so you may re-enable it at any time.

View SSO Activity

To view a log of single sign-on activity, switch to your team in the control panel. Click the profile icon in the top right to open the drop-down menu, click Switch Teams, then click the name of team you want to view.

Next, in the left menu of the control panel, click Settings to go to the team settings page. In the Single sign-on (OIDC) section, click Show more, then click View SSO Activity to go to the SSO activity page, which has a table with timestamped sign-on history events.

We can't find any results for your search.

Try using different keywords or simplifying your search terms.