How to configure SSO in Skydio Cloud

Single Sign-On (SSO) allows you to log in to multiple systems and applications with a single set of credentials, eliminating the need to remember multiple usernames and passwords. With SSO enabled in Skydio Cloud, administrators can streamline authentication, reduce security risks associated with password management, and provide users with a more seamless login experience.

This guide walks you through configuring SSO in Skydio Cloud, managing login methods for your organization, and ensuring a smooth integration with your preferred identity provider.

Setting up and managing SSO configurations

Skydio officially supports Okta and Microsoft Entra using SAML 2.0 or OIDC integrations. Other identity providers using these protocols may work if they meet the same technical requirements, but support is not guaranteed. If you encounter issues when configuring an unlisted provider, please contact support@skydio.com.

• SSO configurations can be modified or deleted after creation. If an identity provider is in use by an user, it cannot be deleted.
• To delete an SSO configuration, ensure that it is disabled as the organization default and no individual users are enabled with per-user overrides
• New login methods are not enabled for users by default. See Managing Login Methods for guidance on rolling out SSO across your organization.

SAML

• Skydio expects the NameID to be in email address format.
• ACS and Metadata URLs for a created SAML integration can be retrieved later from the Login Methods configuration page.
• No additional claims are currently inspected by the SAML integration.

OIDC

• Skydio Cloud only supports OIDC-compliant login flows. Implicit or hybrid flows are not supported.
• The OIDC callback URL and initiate sign-in URL can be retrieved later for an existing OIDC application from the Login Methods page.
• Skydio Cloud does not support single sign-out.
• Skydio Cloud does not use any claims other than “email.”

 

[accordion heading="Configuring Okta with SAML"]

Requirements

• Application administrator access to your Okta tenant (contact your IT department if you do not have this level of access)
• Skydio Cloud account with Organization Admin permissions

Step 1 - Login to Okta Admin

Step 2 - Navigate to the Applications page

Step 3 - Select Create App Integration

Step 4 - Select SAML 2.0

Add a name for your app and select Next.

[note] Provide a descriptive label in the Name field, as this appears on the button that users will see. [/note]

Step 5 - Login to Skydio Cloud

Ensure you are using an account with an Organization Admin role.

Step 6 - Open the Users page

Navigate to Settings > Users

Step 7 - Select Login Methods tab

Select Add Login Method then SAML from the drop-down menu.

Step 8 - Finalize SSO configuration between Skydio Cloud and Okta

You will need to navigate between Skydio Cloud and Okta to finalize your setup:

1.  Copy the ACS URL from Skydio Cloud
2.  Return to Okta and paste that value into Single Sign-on URL
3.  Navigate back to Skydio Cloud and copy the Entity ID
4.  Return to Okta and paste that into Audience URI (SP Entity ID)
5.  Optionally add cloud.skydio.com as the Default Relay State to support Okta initiated logins
6.  In Okta, select Next
7.  From the newly created app in Okta, copy the Metadata URL
8.  Return to Skydio Cloud and paste this into the Metadata URL (Optional: If your SAML metadata is in an XML file, select Or use a file and paste the file contents into the text field)
9.  Select Create

[/accordion]

[accordion heading="Configuring Okta with OIDC"]

Requirements

• Application administrator access to your Okta tenant (contact your IT department if you do not have this level of access)
• Skydio Cloud account with Organization Admin permissions

Step 1 - Login to Okta Admin

Step 2 - Navigate to the Applications page

Step 3 - Select Create App Integration

Step 4 - Select OIDC - OpenID Connect

Step 5 - Select Web Application

Under the Application type heading.

Step 6 - Login to Skydio Cloud

Ensure you are using an account with an Organization Admin role.

Step 7 - Open the Users page

Navigate to Settings > Users

Step 8 - Select Login Methods tab

Select Add Login Method then OIDC from the drop-down menu.

[note] Provide a descriptive label in the Name field, as this appears on the button that users will see. [/note]

Step 9 - Finalize SSO configuration between Skydio Cloud and Okta

You will need to navigate between Skydio Cloud and Okta to finalize your setup:

1.  In Skydio Cloud, copy the Callback URL
2.  Return to Okta and paste that into Sign-in Redirect URI and provide a descriptive name for users
3.  In Okta, scroll to the bottom of the page and assign the appropriate access
4.  Select Save
5.  In Okta, copy the Client ID and Client Secret
6.  Return to Skydio Cloud and paste those values into the respective fields
7.  If you would like to use Proof Key for Code Exchange (PKCE) for your OIDC authentication, enable the Use PKCE toggle in Skydio Cloud (optional)
8.  In Skydio Cloud, locate the box OpenID Well Known URL and enter the well-known configuration URL for your Okta tenant
   1. • This URL typically follows the format: www.<your tenant>.okta.com/.well-known/openid-configuration
      • If you do not have access to this information, please contact your IT department
9.  Select Create

• • •  

Additional optional settings:

• To enforce PKCE in Okta, edit the client credential settings and check the box, Require PKCE as additional verification. If selected, ensure that Use PKCE is enabled in Skydio Cloud.
• To allow Okta-initiated logins via a tile visible to users, edit the general settings for the new app in Okta. Set Login initiated by to Either Okta or App, choose whether to make the tile visible to users, and adjust the setting accordingly. Then, copy the Initiate Login URL from Skydio Cloud and paste it into the Initiate Login URI field. Use the default OIDC-compliant login flow.

[/accordion]

[accordion heading="Configure Entra ID with SAML"]

Requirements

• An account with the Application Administrator role (minimum) in the Entra ID tenant (contact your IT department if you do not have this level of access)
• Skydio Cloud account with Organization Admin permissions

Step 1 - Login to Entra

Step 2 - Navigate to Enterprise Applications

Step 3 - Select Create your own application

Select the third option (non-gallery) and provide a name. Users will see this name when logging in using Entra.

Step 4 - Select Create

Step 5 - Select Manage in the left sidebar

In the expanded menu, select Single Sign-On > SAML

Step 6 - Copy the App Federation Metadata URL

Located in the SAML Certificates section (section 3).

Step 7 - Login to Skydio Cloud

Ensure you are using an account with an Organization Admin role.

Step 8 - Open the Users page

Navigate to Settings > Users

Step 9 - Select Login Methods tab

Select Add Login Method then SAML from the drop-down menu.

[note] Provide a descriptive label in the Name field, as this appears on the button that users will see. [/note]

Step 10 - Finalize SSO configuration between Skydio Cloud and Entra

You will need to navigate between Skydio Cloud and Entra to finalize your setup:

1. Paste the App Federation Metadata URL (Step 6) from Entra into the Metadata URL field in Skydio Cloud (Optional: If your SAML metadata is in an XML file, select Or use a file and paste the file contents into the text field)
2. Return to Entra and navigate to the Basic SAML Configuration (section 1) and select Edit
3. In Skydio Cloud, copy the Entity ID and paste into the Identifier field in Entra
4. In Skydio Cloud, copy the ACS URL and paste it into the Reply URL field in Entra
5. In Entra, select Save
6. In Skydio Cloud, select Create
7. In Entra, ensure you have added one or more users and/or groups to the application access to enable authentication from Entra

[/accordion]

[accordion heading="Configure Entra ID with OIDC"]

Requirements

• An account with the Application Administrator role (minimum) in the Entra ID tenant (contact your IT department if you do not have this level of access)
• Skydio Cloud account with Organization Admin permissions

Step 1 - Login to Entra

Step 2 - Navigate to App registrations

Step 3 - Select + New registration

Name your application.

Step 4 - Select Accounts in this organizational directory only

Step 5 - Select Register

Step 5 - Add the Email Claim to your token

1.  Select Manage in the left sidebar
2.  In the expanded menu, select Token Configuration
3.  Select + Add optional claim
4.  Select ID for the token type
5. Check the box next to email
6. Select Add

Step 6 - Grant OpenID permissions

1.  Using the same Manage menu in the left sidebar, select API Permissions
2.  Select Microsoft Graph
3.  Expand OpenID Permissions
4. Check the boxes for email, openid, and profile
5. Select Update Permissions

Step 7 - Generate a Client secret

1. Using the same Manage menu in the left sidebar, select Certificates & secrets
2. Select New client secret and name the secret
3. Set an expiration date that aligns with your organizational policies (Tip: Set a reminder to renew)
4. Select Add
5. Use the clipboard icon to copy the Value field

Step 8 - Login to Skydio Cloud

Ensure you are using an account with an Organization Admin role.

Step 9 - Open the Users page

Navigate to Settings > Users

Step 10 - Select Login Methods tab

Select Add Login Method then OIDC from the drop-down menu.

[note] Provide a descriptive label in the Name field, as this appears on the button that users will see. [/note]

Step 11 - Finalize SSO configuration between Skydio Cloud and Entra

You will need to navigate between Skydio Cloud and Entra to finalize your setup:

1.  In Skydio Cloud, paste the client secret you generated (Step 7) into the Client Secret field
2.  In Entra, open the Overview menu in the left sidebar
3.  Copy the Application (client) ID
4.  Paste this into the Client ID field in Skydio Cloud
5.  In Entra, copy the OpenID Connect metadata document (within the Endpoints section of the Overview tab)
6.  Paste this into the OpenID Well Known URL in Skydio Cloud
7.  Select Create in Skydio Cloud

Step 12 - Open the Provider Information section in your new provider and copy the Callback URL

Step 13 - Copy the Callback URL in Skydio Cloud

Return to Entra and open the Manage menu in the left sidebar:

1.  Select Authentication
2.  Within Platform Configurations, select Add a Platform
3.  Select Web
4.  Paste the Callback URL into the Redirect URI field
5.  Select Configure
6.  In Entra, ensure you have added one or more users/groups to the application access to enable authentication from Entra

[/accordion]

[accordion heading="Configuring Axon Connect"]

[info] The Axon Connect integration will be available starting February 6th. Any attempts to sign in with Axon before then will be unsuccessful. [/info] 

Requirements

• Axon Evidence account with access to the domain, as you will need to enable the client in the Third-Party Applications page in Axon Evidence
• Skydio Cloud account with Organization Admin permissions

[note] A Skydio Cloud organization can have at most one Axon Connect integration. If you have SSO configured on your evidence.com account, authentication will be chained. [/note]

Step 1 - Login to Axon Evidence

Step 2 - Navigate to Admin > Security Settings

Step 3 - Select Third-Party Applications

Step 4 - Select Skydio Cloud

Check the box called Enabled Application.

Select Save.

[note] Axon Evidence only supports a limited number of regions. If you have an unsupported region, please contact Skydio support. [/note]

Step 5 - Login to Skydio Cloud

Ensure you are using an account with an Organization Admin role.

Step 6 - Open the Users page

Navigate to Settings > Users

Step 7 - Select Login Methods tab

Select Add Login Method then Axon Connect from the drop-down menu.

Step 8 - Enter your agency domain

This will be a format similar to: example.evidence.com or example.eur.evidence.com

Select Create.

[/accordion] 

Managing Login Methods

Skydio Cloud supports logging in with an email code, SSO provider, and Axon connect. You have the ability to configure which login methods are applied by default to all users in an organization. Additionally, overrides for login methods can be set on a per-user basis.

• A given user can log in via email passcode, Axon Connect (if configured), and one SSO provider

[note] User accounts can only have one SSO provider. Skydio Cloud does not support user accounts having multiple SSO providers. [/note]

Changing Default Login Settings

Only Skydio Cloud administrator roles can assign default login settings for users.

Step 1 - Log in to Skydio Cloud

Visit cloud.skydio.com and enter your email address.

• A verification code will be sent to the email address you enter

Step 2 - Navigate to Settings

Select the gear icon in the bottom left.

Step 3 - Select Users

Step 4 - Select the Login Methods tab

Use the toggles to the right of each identity provider to set which ones are enabled by default for users.

Select Save when you are done.

[note] Only one SSO provider may be enabled as default for an organization. [/note]

Setting Per-User Login Method Overrides

Only Skydio Cloud administrator roles can set login overrides for users.

[note] SSO & Axon Connect login types are displayed only if they have been configured for the organization. If one is configured but not visible, please refresh the page. [/note]

Step 1 - Navigate to Settings

Select the gear icon in the bottom left.

Step 2 - Select Users

Step 3 - Edit settings for the specified user

Locate the user and select the “...” three dots on the right.

• Use the drop-down menus at the top to filter your search

Select Edit.

Use the drop-down menus under Login Types to select your preferred SSO identity provider and enable or disable the ability to login with an email address or Axon.

Use the toggle titled, Override Sign-In Methods to enable overrides on a user’s login methods.

• To return to default login methods, disable this toggle

Step 4 - Save your changes

[note] If a specific user has overrides enabled, the account will be excluded from changes made to the entire organization. We recommend using per-user overrides only for specific circumstances. [/note]

SSO Integration Best Practices

To ensure the best user experience and effective management of your SSO integration, we recommend the following:

• Collaborate with your IT department
  • • Work closely with your IT team to gather all necessary information for configuring and managing SSO
    • Whenever possible, use teleconferencing tools to set up the integration synchronously to minimize back-and-forth communication
• Maintain a “break glass” admin account
  • • We strongly recommend setting up a backup admin account with email as the login method, distinct from your regular admin accounts
    • In the event of an SSO provider outage or integration failure, this account can be used to temporarily enable email logins for all users, ensuring continued access
    • Your IT team can guide you on implementing this practice within your organization
• Follow a structured approach when migrating SSO providers
  • • When switching SSO providers, create a new SSO configuration and set an override for a test user to verify the integration
    • Once confirmed, change the default SSO provider for the entire organization and remove the override from the test user
• Regularly review user accounts and login methods
  • • We recommend that administrators periodically review user accounts in Skydio Cloud, paying particular attention to the enabled login methods and any login overrides
    • The Settings/Users page in Skydio Cloud allows you to search based on login methods and overrides for greater visibility

 

Explore More

Skydio Cloud Integrations

How to add users to Skydio Cloud

Getting Started with Skydio Cloud

 

 

Skydio, Inc. A0570