Which SAML connection type do you support, IDP initiated or SP initiated?

We support SP initiated SAML authentication.

How do you recommend setting up the integration using Okta SSO?

As we do not support IDP initiated sign ins, we recommend creating a several apps in Okta:

1. An invisible app for the SAML connection itself
2. A bookmark app linking to your workspace sign in page, for editors and admins that need access to the Standards workspace
3. A bookmark app directing to the published project URLs, visible to everyone at the company.

What NAMEID format should be used?

We require that you use the following NAMEID format:

urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Are there other SAML attributes that should be passed?

None are required. You may optionally send the following (unspecified) attributes: displayName and photoURL.

Should the SAML Response or Assertion be signed?

Either the SAML Response or Assertion should be signed (or both), using the RSA-SHA256 algorithm. Typically, customers sign the Response.