This page describes how to set up Pinecone with Okta as the single sign-on (SSO) provider. These instructions can be adapted for any provider with SAML 2.0 support.
SSO is available on Standard and Enterprise plans.

Before you begin

This page assumes you have the following:

1. Start SSO setup in Pinecone

First, start setting up SSO in Pinecone. In this step, you’ll capture a couple values necessary for configuring Okta in Step 2.
  1. In the Pinecone console, go to Settings > Manage.
  2. In the Single Sign-On section, click Enable SSO.
  3. In the Setup SSO dialog, copy the Entity ID and the Assertion Consumer Service (ACS) URL. You’ll need these values in Step 2.
  4. Click Next.
Keep this window or browser tab open. You’ll come back to it in Step 4.

2. Create an app integration in Okta

In Okta, follow these steps to create and configure a Pinecone app integration:
  1. If you’re not already on the Okta Admin console, navigate there by clicking the Admin button.
  2. Navigate to Applications > Applications.
  3. Click Create App Integration.
  4. Select SAML 2.0.
  5. Click Next.
  6. Enter the General Settings:
    • App name: Pinecone
    • App logo: (optional)
    • App visibility: Set according to your organization’s needs.
  7. Click Next.
  8. For SAML Settings, enter values you copied in Step 1:
    • Single sign-on URL: Your Assertion Consumer Service (ACS) URL
    • Audience URI (SP Entity ID): Your Entity ID
    • Name ID format: EmailAddress
    • Application username: Okta username
    • Update application username on: Create and update
  9. In the Attribute Statements section, create the following attribute:
    • Name: email
    • Value: user.email
  10. Click Next.
  11. Click Finish.

3. Get the sign on URL and certificate from Okta

Next, in Okta, get the URL and certificate for the Pinecone application you just created. You’ll use these in Step 4.
  1. In the Okta Admin console, navigate to Applications > Pinecone > Sign On. If you’re continuing from the previous step, you should already be on the right page.
  2. In the SAML 2.0 section, expand More details.
  3. Copy the Sign on URL.
  4. Download the Signing Certificate.
    Download the certificate, don’t copy it. The downloaded version contains necessary -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.

4. Complete SSO setup in Pinecone

In the browser tab or window you kept open in Step 1, complete the SSO setup in Pinecone:
  1. In the SSO Setup window, enter the following values:
    • Login URL: The URL copied in Step 3.
    • Email domain: Your company’s email domain. To target multiple domains, enter each domain separated by a comma.
    • Certificate: The contents of the certificate file you copied in Step 3.
      When pasting the certificate, be sure to include the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.
  2. Choose whether or not to Enforce SSO for all users.
    • If enabled, all members of your organization must use SSO to log in to Pinecone.
    • If disabled, members can choose to log in with SSO or with their Pinecone credentials.
  3. Click Next.
  4. Select a Default role for all users who log in with SSO. You can change user roles later.
Okta is now ready to be used for single sign-on. Follow the Okta docs to learn how to add users and groups.