Integrating with your SSO Provider

Interested in setting up SSO for easy user authentication in Ethena? This is available for all Ethena Premium customers. SSO configuration is not currently available for Ethena Standard (self-serve) customers.

About Ethena's SSO Connections

Ethena partners with Auth0 to provide SP-initiated SSO workflows through SAML or Open ID Connect. 

Our technical team will work directly with your SSO administrator within your organization to exchange the necessary credentials and troubleshoot the SSO connection. Once the initial setup is complete on your end, you can reach out to support@goethena.com for help configuring the integration.

A few additional notes to keep in mind:

• Ethena disables IdP-initiated workflows by default. Workarounds for this are included in our integration guides. If you'd like IdP-initiated workflows enabled, reach out to support@goethena.com.
• Email address is the core metadata requested, as this is how Ethena uniquely identifies learners. If you would prefer to use user ID (if, for example, you have some users without email addresses), reach out to support@goethena.com.
• We do not support traditional SCIM/just-in-time provisioning, but we do offer API-based integrations with Okta, Microsoft Entra ID, Google Workspace, and others. If you'd like your IdP to be the source of truth for user provisioning, please see our HRIS integration article.

SSO Configuration Guides

The following guides provide step-by-step instructions on SSO configuration, depending on your Identity Provider:

• Okta
• Microsoft Entra ID
• Google Workspace
• All other SAML SSO providers

Okta SSO Integration Guide

1. Choose a one-word, all lowercase company name to use throughout the below steps wherever you see the highlighted word ‘company’. For example, ACME Corp could choose either ‘acme’ or ‘acmecorp’.
2. Create a new SAML connection in Okta using the following settings:
   • You can use the Ethena logo to identify the connection.
   • Set the sign on URL to: https://ethena.auth0.com/login/callback?connection=company. Check the box that says "use this for recipient and destination..."
   • Audience: urn:auth0:ethena:company
   • Ensure that the following settings are chosen, matching the screenshot below:
     • Name ID format: EmailAddress
     • Attribute Statements:
       • Name: email
       • Value: user.email
   • 
3. Send the following details over to support@goethena.com:
   • The x.509 certificate and Identity Provider Single Sign-On URL, or the downloadable metadata file
   • The one-word company name you chose for your ACS URL and Entity ID
   • All potential learner email domains that should be added to the home-realm list (e.g. acmecorp.com, ext.acmecorp.com)
4. From there, Ethena will set up the integration and send over a test link. Once testing is complete, Ethena will set the integration live.
   • You will likely also need to assign users in your organization access to the application. Please ensure that the relevant users are granted access, as well as any new hires who join your organization post-launch.
5. As a final step, if you want learners to have a "chiclet" in Okta that directs them to their Ethena training, we can do this without needing to use IDP-initiated SSO (Auth0 discourages this because of security concerns, but reach out if you'd like us to enable it). We recommend using a ‘Bookmark app’ to create a URL-based chiclet. In this case, the URL will be https://app.goethena.com/training?sso=company

Microsoft Entra ID SSO Integration Guide

1. Choose a one-word, all lowercase company name to use throughout the below steps wherever you see the highlighted word ‘company’. For example, ACME Corp could choose either ‘acme’ or ‘acmecorp’.
2. Create a new SAML application in your SSO provider portal named “Ethena”, and if desired use the Ethena logo.
3. Input the following for the Sign On URL (Optional in Azure, but good to have): https://app.goethena.com/training?sso=company
4. Input the following for the Reply URL (Assertion Consumer Service URL (ACS)) in Azure: https://ethena.auth0.com/login/callback?connection=company
5. For “Entity ID”, or “Audience”, use urn:auth0:ethena:company as the Entity ID.
6. For NameID Format, choose Email Address if possible. Generally ensure that your SSO provider is including email as the primary way of identifying users to Ethena.
7. No other settings should need to be filled.
8. You will likely need to assign users in your organization access to the application. Please ensure that the relevant users are granted access, as well as any new hires who join your organization post-launch.
9. Send the following details over to support@goethena.com:
   1. The x.509 certificate and Identity Provider Single Sign-On URL, or the downloadable metadata file
   2. The one-word company name you chose for your ACS URL and Entity ID
   3. All potential learner email domains that should be added to the home-realm list (e.g. acmecorp.com, ext.acmecorp.com)
10. From there, Ethena will set up the integration and send over a test link. Once testing is complete, Ethena will set the integration live.
    1. You will likely also need to assign users in your organization access to the application. Please ensure that the relevant users are granted access, as well as any new hires who join your organization post-launch.
11. If an IDP-initiated type flow is desired (where users click on an Ethena card located in a central place and are redirected to Ethena) we recommend using a link-based card or application to avoid IDP-initiated security risks (Auth0 discourages this because of security concerns, but reach out if you'd like us to enable it).
    1. For this, create a separate link-style card and use https://app.goethena.com/training?sso=company as the URL of the link. This is the same link users will receive in their notifications from Ethena, and it will direct them through an SP-initiated SSO flow to their Training Center.

Google Workspace SSO Integration Guide

1. Choose a one-word, all lowercase company name to use throughout the below steps wherever you see the highlighted word ‘company’. For example, ACME Corp could choose either ‘acme’ or ‘acmecorp’.
2. As a Google workspace admin, navigate to Apps > Web and Mobile Apps. Then click “Add App” at the top and choose “Add custom SAML app”.
3. Input “Ethena” as the app name. Optionally you can include the Ethena logo. Click “Continue”.
4. Click “download metadata” and save it so you can send our team the .xml file to complete setup.
5. On the next screen, input https://ethena.auth0.com/login/callback?connection=company as the ACS URL and enter urn:auth0:ethena:company as the Entity ID. Leave the Start URL blank.
6. Send the following details over to support@goethena.com:
   1. The .xml file you downloaded
   2. The one-word company name you chose for your ACS URL and Entity ID
   3. All potential learner email domains that should be added to the home-realm list (e.g. acmecorp.com, ext.acmecorp.com)
7. From there, Ethena will set up the integration and send over a test link. Once testing is complete, Ethena will set the integration live.
   1. You will likely also need to assign users in your organization access to the application. Please ensure that the relevant users are granted access, as well as any new hires who join your organization post-launch.
8. If an IDP-initiated type flow is desired (where users click on an Ethena card located in a central place and are redirected to Ethena) we recommend using a link-based card or application to avoid IDP-initiated security risks (Auth0 discourages this because of security concerns, but reach out if you'd like us to enable it).
   1. For this, create a separate link-style card and use https://app.goethena.com/training?sso=company as the URL of the link. This is the same link users will receive in their notifications from Ethena, and it will direct them through an SP-initiated SSO flow to their Training Center.

General SSO Integration Guide

1. Choose a one-word, all lowercase company name to use throughout the below steps wherever you see the highlighted word ‘company’. For example, ACME Corp could choose either ‘acme’ or ‘acmecorp’.
2. Create a new SAML application in your SSO provider portal named “Ethena”, and if desired use the Ethena logo.
3. You will need to input an “ACS URL” or “Sign on URL”, which should be https://ethena.auth0.com/login/callback?connection=company
4. For “Entity ID”, or “Audience”, use urn:auth0:ethena:company as the Entity ID.
5. For NameID Format, choose Email Address if possible. Generally ensure that your SSO provider is including email as the primary way of identifying users to Ethena.
6. No other settings should need to be filled.
7. You will likely need to assign users in your organization access to the application. Please ensure that the relevant users are granted access, as well as any new hires who join your organization post-launch.
8. Send the following details over to support@goethena.com:
   1. The x.509 certificate and Identity Provider Single Sign-On URL, or the downloadable metadata file
   2. The one-word company name you chose for your ACS URL and Entity ID
   3. All potential learner email domains that should be added to the home-realm list (e.g. acmecorp.com, ext.acmecorp.com)
9. From there, Ethena will set up the integration and send over a test link. Once testing is complete, Ethena will set the integration live.
   1. You will likely also need to assign users in your organization access to the application. Please ensure that the relevant users are granted access, as well as any new hires who join your organization post-launch.
10. If an IDP-initiated type flow is desired (where users click on an Ethena card located in a central place and are redirected to Ethena) we recommend using a link-based card or application to avoid IDP-initiated security risks (Auth0 discourages this because of security concerns, but reach out if you'd like us to enable it).
    1. For this, create a separate link-style card and use https://app.goethena.com/training?sso=company as the URL of the link. This is the same link users will receive in their notifications from Ethena, and it will direct them through an SP-initiated SSO flow to their Training Center.