SSO - Okta

Wiki HomeTitle Index

Overview

This article describes how to configure Okta as your workplace's single sign-on identity provider (IdP). This process involves making modifications to your Okta environment as well as your digital workplace. Once complete, users of your digital workplace will be able to sign in to it using their Okta credentials.

To follow this process, you must be able to add applications to your Okta environment and be a workplace administrator in your digital workplace.

Go to one of the following sections in this article:

 
Single logout (SLO) with Okta is not currently supported.

Configuring Okta single sign-on

Follow these steps to configure the Igloo application in Okta. This application will pass the attributes Email, FName, and Email. Additionally, it assumes that you are using the default Okta username format that corresponds to a user's email address.

  1. Go to your Okta portal.
  2. In the Admin Console, select Applications followed by Applications.
  3. Above the list of applications, select Browse App Catalog.
  4. In the Search text box, enter Igloo.
  5. From the list of application search results, select Igloo.
  6. On the Igloo application page, select Add.
  7. Configure the options on the General Settings tab as follows:
    1. Application label: Enter a name for this application.
    2. Login URL: Enter your digital workplace URL with /saml.digest appended to it (e.g., https://customercare.igloosoftware.com/saml.digest). 
    3. Application Visibility: Select the options that follow your organization's best practices.
    4. Browser plugin auto-submit: Select Automatically log in when user lands on login page (selected by default).
  8. Select Next.
  9. On the Sign-On Options tab, right-click View Setup Instructions and open the link in a new tab.
  10. On the Sign-On Options tab,  select Done to complete setting up the application.
  11. From the Setup Instructions tab that you opened in 9, copy the following values to use when configuring single sign-on in your digital workplace:  
    1. IdP Login URL
    2. Public Certificate

Configuring your digital workplace's single sign-on

  1. Go to your digital workplace and sign in.
  2. Select Control Panel.
  3. Under Membership, select Sign In Settings.
  4. Select Configure SAML Authentication.
  5. Configure these General Configuration options as follows:
    1. Connection Name: Enter a name for this connection.
    2. IdP Login URL: Copy and paste the IdP Login URL from the Okta Setup Instructions into this field.
    3. IdP Logout URL: Leave this field blank; single logout (SLO) with Okta is not supported.
    4. Logout Response and Request HTTP Type: Ignore this option; single logout (SLO) with Okta is not supported. 
    5. Logout Final Redirect URL: Enter the URL of the location you want to send users to when they log out. If left blank, users will be redirected to your digital workplace's homepage. 
    6. Binding Type: Select POST.
    7. Public Certificate: Copy and paste the Public Certificate from the Okta Setup Instructions into this field.
  6. Configure these Response and Authentication Configuration options as follows:
    1. Identity Provider: Select Okta.
    2. Identifier Type: Select Email.
    3. Email Attribute: Enter Email.
    4. First Name Attribute: Enter FName
    5. Last Name Attribute: Enter LName
    6. Drift Time: Enter 5.
  7. For User creation on Sign in, select how your digital workplace handles users who attempt to sign in to your digital workplace when they have valid Okta credentials but are not members of the workplace.
  8. For Sign in Settings, select how users sign in to your workplace using Okta single sign-on. For setting up and testing the connection, it can be convenient to temporarily select Use SAML button on "Sign in" screen and then only switch to Redirect all users to IdP once you have confirmed that single sign-in is working correctly.
  9. Select Save.

Verifying that single sign-on is set up correctly

Adding a test user to the Igloo application in Okta

  1. In Okta, go to the Igloo application that you created.
  2. Select the Assignments tab.
  3. Select Assign, followed by Assign to People.
  4. In the search box on the assign popup, enter the user's name.
  5. Next to the user that you want to add, select Assign.
  6. When prompted to enter a User Name, leave it unchanged and select Save and Go Back.
  7. Select Done.

Adding the same test user as a member of your digital workplace

  1. Go to your digital workplace and sign in.
  2. Select Control Panel.
  3. Under Membership, select Manage Members.
  4. Select Add Members.
  5. Add the user as follows:
    1. First Name: Enter the first name of the user.
    2. Last Name: Enter the last name of the user.
    3. Email: Enter the user's email. This email address should match the user's username value in Okta.
    4. Password: Enter a password for the user. This password is for Igloo Authentication. You are required to enter a value in this field even if you only intend to sign in. 
    5. Confirm Password: Re-enter the user's Igloo Authentication password.
    6. System Groups: Do not select any other groups to add the user to.
    7. Regular Groups: Do not select any other groups to add the user to.
  6. Select Create Member.

Using the test user to sign in to your workplace with Okta

In a private browser window, go to your digital workplace. Depending on how you have configured SAML, you will either be redirected to your IdP or arrive at the Igloo Authentication page. For the latter case, in the upper right corner of the Sign-in box, select Use: {your connection's name} to go to your IdP.

While on your IdP's sign-in page, enter the credentials of your test user. If everything is configured correctly, you will be redirected back to your digital workplace and be signed in.

Troubleshooting issues

Incorrect IdP Login URL

If you see an Okta 404 Page Not Found" message after being redirected to your IdP, you may have entered an incorrect IdP Login URL on your digital workplace's SAML Configuration page. Confirm that the value you entered in this field matches the IdP Login URL in the Okta application you configured. You can find this value in Okta by selecting View Setup Instructions on the Sign On tab of the application.

Incorrect Login URL 

If after signing in, you are brought back to your digital workplace's domain with an Igloo support code showing, you may have entered the incorrect Login URL for your digital workplace in Okta. Verify that this value is your digital workplace's domain with /saml.digest appended to it. You can configure these values in Okta on the General tab of the application.

Public certificate issues

The following are issues that can occur with the public certificate:

  • Invalid format: On your digital workplace's SAML Configuration page, if you click Save and the page refreshes without your changes being saved, the Public Certificate may have an invalid format.
  • Expired or Mismatched: If after signing in, you are brought back to your digital workplace's sign in page with the message "An error has occurred. Please try again and, if that fails, contact support" the public certificate in Igloo does not match what Okta is expecting.

To resolve these issues, verify that the public certificate in your digital workplace matches that of your Okta application. You can find the current Public Certificate in Okta by selecting View Setup Instructions on the Sign On tab of the application.

Workplace membership

Not being a member of a digital workplace can result in the following:

  • If you successfully sign in to your IdP but get redirected to a page in your digital workplace that says "You do not have sufficient access to this area" and you don't have any navigation options, it's possible that the account you signed in with is not a member of the digital workplace but has been before.
  • If you successfully sign in to your IdP but get redirected to a page in your digital workplace that says "The user account was not found. Please contact an administrator", it's possible that you signed in with an account that is not or has even been a member the digital workplace.

In both cases, verify that the email associated with the account you are trying to sign in with is associated with an account in the workplace's member directory.

Not assigned to the application in Okta

If after entering your Okta credentials, you are redirected to an Okta page with the error "Sorry, you can't access { your application name} because you are not assigned this app in Okta", the account must be added to the application in Okta. You can configure who is assigned to the application in Okta on the Assignments tab of the application.

Additional resources

0 Comments

  • 3,016 views
  • 0 previews
  • 13 versions
  • 0 comments
  • 1 follower
     
    1 subscriber is following updates on this item.
Labels:

Authentication

Avg. Rating:
Updated By:
Jesse Langstaff
 
August 18, 2021
Posted By:
Matthew Seabrook
 
September 4, 2017
Versions:
v.13
Search this area
Viewed 3,016 times