Cleo Express Configuration Guide (Okta)
Instructions for Okta admins to configure Cleo using Okta Express Configuration. This guide covers SSO and Universal Logout.
SSO (SP & IdP-initiated)
Universal Logout
Express Configuration
Supported Features
| Feature | Supported |
|---|---|
| SP-initiated SSO | Yes |
| IdP-initiated SSO | Yes |
| Universal Logout (Partial) | Yes — revokes refresh tokens. Sessions end when access tokens expire. |
| Express Configuration | Yes |
Prerequisites
- A Cleo admin account (request access from your Cleo account owner).
- Admin access to your Okta org.
- The Cleo app added from the Okta Integration Network (OIN) catalog.
Cleo Values
| App name in OIN | Cleo Health |
|---|---|
| SP-initiated login URL | https://app.cleohealth.io/login |
| Support contact | support@cleo-ai.co |
Step 1 — Configure SSO with Express Configuration
- In the Okta Admin Console, go to Applications > Applications.
- Find and open the Cleo Health app instance.
- Go to the Sign On tab.
- In the Express Configuration section, click Configure SSO.
- Sign in to Cleo using your Cleo admin credentials when prompted.
- Review the authorization prompt and click Accept.
- You will be redirected back to Okta. Confirm the success banner indicates SSO is configured.
Step 2 — Verify SSO
- Assign the Cleo app to a test user in Okta.
- IdP-initiated: Sign in as the test user to the Okta dashboard and click the Cleo tile. Confirm the user lands in Cleo without additional sign-in prompts.
- SP-initiated: Navigate to
https://app.cleohealth.io/login, enter the user's email, and confirm the user is redirected to Okta for authentication and then back to Cleo.
Step 3 — Configure Universal Logout
Universal Logout is automatically enabled when you add the Cleo Health app from the OIN catalog. No additional configuration is required.
Cleo supports partial Universal Logout via Global Token Revocation (GTR). When a logout event is triggered from Okta, Cleo revokes the user's refresh tokens. The user's active session ends when their current access token expires.
Access token lifetime: Cleo access tokens have a lifetime of 1 hour (3600 seconds). After a Universal Logout event, the user's session will end within this window, or immediately if they attempt to refresh their session.
Step 4 — Verify Universal Logout
- Sign in to Cleo as a test user via Okta SSO.
- In the Okta Admin Console, revoke the user's sessions (go to Directory > People, select the user, and click Revoke Sessions).
- Confirm that the user is signed out of Cleo once their access token expires or when they next interact with Cleo.
Troubleshooting
- Permissions error on sign-in: Confirm the user is assigned to the Cleo app in Okta.
- Express Configuration fails: Ensure you are signed in to Cleo as an admin before authorizing.
- User not logged out after UL event: The user's session will persist until their access token expires (up to 1 hour). Refresh token revocation takes effect immediately.
- Okta policies (MFA, device trust, network zones) remain enforced by your Okta org.
- For tenant-specific issues, contact support@cleo-ai.co.