Skip to main content

Single Sign On (SSO) for Employers

A guide for Employers on setting up and managing SSO in Kota, including login flow, supported identity providers, and configuration steps for secure employee access.

Kota supports Single Sign-On (SSO) using OpenID Connect (OIDC), allowing your organisation to authenticate employees securely through your existing identity provider.

SSO works across:

  • Kota web portals

  • Kota mobile applications

SSO is available on all Kota plans.

Key Information

  • SSO applies to employees and non-admin users

  • Admin users can continue using email and password login

  • Only one company email domain can be configured per organisation

  • Kota supports OIDC only (SAML is not supported)

How SSO Works

Once SSO is enabled at the organisation level:

  • Employees and non-admin users must log in via SSO.

  • Admin users can continue using email and password

  • Authentication is handled entirely by your OIDC identity provider

Login Experience

The authentication flow is simple and secure:

  1. Select Continue with SSO

  2. Enter your work email address

  3. If the domain matches your configured company domain:

    • You'll be redirected to your identity provider

    • You´ll log in using corporate credentials

    • You'll be redirected back to Kota

  4. Access is granted

Mobile login follows the same OIDC authentication flow while keeping the user inside the app.

User Access & Provisioning

Kota does not support automatic user provisioning.

Access works as follows:

  • Users must be added as Members to the organisation

  • Users must be assigned at least one Benefit

  • Access is granted only after both conditions are met

Users who are not assigned a benefit cannot access the platform, even if SSO authentication succeeds.

Current Limitations ⚠️

  • Only one email domain can be configured per organisation

  • Admin users are not required to use SSO

  • SAML is not supported

  • SCIM provisioning is not supported

  • Security Assertion Markup Language (SAML) is not supported

  • System for Cross-domain Identity Management (SCIM) provisioning is not supported

  • Just-In-Time (JIT) provisioning is not supported

Supported Identity Providers

Kota supports any OIDC-compliant provider, including:

  • Google Workspace / Google Identity

  • Okta

  • Microsoft Azure AD / Entra ID

  • Auth0

  • Ping Identity

  • Keycloak

  • OneLogin

  • AWS Cognito

  • GitHub

  • Salesforce Identity

Configuring SSO as Employer

SSO is enabled at the organization level by an Admin.

Step 1 — Configure SSO in Kota

  1. Go to Admin Settings → Single Sign-On

  2. Enter the following details from your identity provider:

    • Client ID

    • Client Secret

    • Issuer URL

    • Company email domain

  3. Click Test & Save Configuration.

After saving the configuration, Kota will validate the connection and generate a Redirect URL

Step 2 — Configure the Redirect URL in Your Identity Provider

  1. Copy the generated Redirect URL

  2. Paste it into your identity provider as an:

    • Authorized Redirect URI

    • Callback URL

  3. Return to Kota and click Finalize Configuration

SSO will now be active for your organisation.

Single Login Link (Optional)

Kota can provide a tenant-specific SSO login link.

  • Unique to your organisation

  • Can be added to Internal systems:

    • Okta dashboards

    • HR portals

    • Identity provider app catalogs

To request your dedicated link, contact [email protected].

For Employees

Once SSO is enabled, employees and non-admin users will log in using Single Sign-On with their work credentials.

If SSO is not yet configured, employees will continue using email and password login.

Did this answer your question?