Okta is an Identity Provider (IdP) used by many Service providers. The setup and configuration are pretty straightforward. Accounts should be created first with Okta.
Back at Document360 projects, only the account owner or an administrator could get the Enterprise SSO setup configured.
Make sure that the Document360 Enterprise SSO page opens in a different tab. It would be helpful when retrieving specific field values from the page during the setup.
Okta Signup
- Sign up for the Okta at https://developer.okta.com/signup/ the Okta developer console
- Post signup, you would receive a mail with your login credentials and account activation link on the Email provided during signup
- Click on the activation link, and you are redirected to your Okta Domain login page
- Login with your credentials
- The Dashboard is displayed on the Okta developer console domain on successful login.
Adding an application
To configure an application to Okta, the user must create a new application.
- The default dashboard would be as a Developer console. It has to be changed to Classic UI
- On the top left corner of the page, you’d find a dropdown to toggle between the dashboards
- To create a new application, go to Applications menu and click on Applications in the drop-down.
- Now click on the Add application button on the window
- On the Add Application page, click on the Create New App button
- In the overlay Create a New Application Integration window select the platform as Web from the dropdown
- Now in the Sign on method select SAML 2.0 and click on the Create button
Creating a SAML integration
Now, in Okta, the users would land on the Create SAML Integration page
- On the General Settings page, enter the name of your new application in the App name field
- Browse and upload a Logo for your application in the Add Logo field if required, as it’s not mandatory
- In the App visibility, you can choose either or both options depending on your requirements.
- Click on the Next button
- In the SAML Settings page, the user has to fill in the parameters provided by Document360
- Head back to the Document360 Enterprise SSO page and SAML tab in it
- The Callback path provided should be entered in the Single sign on URL field on the Okta SAML settings page
- Similarly, the Service Provider Entity Id should be entered in the Audience URI (SP Entity ID) field on the Okta SAML settings page
-
The following field, Default RelayState, identifies a specific application resource in an IDP-initiated SSO. This field can be left blank
-
For the Name ID Format field select EmailAddress from the drop-down
-
The Application username by default would be as Okta username. Change it to Email from the dropdown
-
The Attribute Statements field is when you create a new SAML integration or modify an existing integration, you can define custom attribute statements
-
These statements are inserted into the SAML assertions shared with your app.
| Name | Name format | Value |
|---|---|---|
| urn:oasis:names:tc:SAML:2.0:nameid | URI Reference | user.email |
| name | Unspecified | user.email |
| Unspecified | user.email |
Add urn:oasis:names:tc:SAML:2.0:nameid in name, URI Reference as Name format, and user.email as value
Click the Add Another button and add.
- name in the Name field, Unspecified in the Name format, and user.email as value
- email in the Name field, Unspecified in the Name format, and user.email as value
-
The Group Attribute Statements field is in case you use groups to categorize users; you can add group attribute statements to the SAML assertion shared with your app. However, this is optional.
-
Now click on the Next button at the end of the page
-
In the Are you a customer or partner? Select the relevant option. (If you're unsure about this, you can select the "I'm an Okta customer adding an internal app" and you can skip filling out the fields)
-
Click on Finish
You’ve created an application on the Okta platform that can be configured with the Service provider.
Okta to Document360 settings
The application created on Okta needs to be configured with Document360.
Have the Okta and the Document360 Enterprise SSO pages open in different tabs. It would be helpful when retrieving specific field values between the two pages during the setup.
-
On the Okta dashboard, click on the Applications menu and select Applications
-
On the Applications page, select the active application you want to configure on Document360
-
On the My application page, select the Sign On tab
-
Click on the View Setup Instructions, and the parameters needed to configure open in a separate webpage
-
Now head back to the Document360's SAML configuration page
-
Click on the edit icon in the SAML basic configuration section
- In the Mail Domains field, enter domains of mail IDs you would like to authorize for SSO. (For instance, yourcompany.com). You can add multiple domains by adding a comma after each domain
- In the Sign On URL field, enter the value of Identity Provider Single Sign-On URL copied from the Okta setup instruction page
- For the Entity Id field, enter the value of Identity Provider Issuer copied from the Okta setup instruction page
- The Sign Out URL is an optional field so that you can skip that
- Next is the SAML certificate. For this, you have to head back to the Okta setup instruction page
- Download the .cert file by clicking on the Download certificate button
- Now head back to the Document360 Enterprise SSO SAML page
- Click on Browse and add the recently downloaded .cert file from Okta. Finally, click on the Save button
Now, your project SSO has been configured with the Identity provider Okta.
Troubleshooting
How do you resolve the below login issue in Okta?
There could be mismatched configurations in the attributes.
- Check the attribute configuration of the SAML application
- Make sure that the Name, Name format, and Value attributes are entered correctly
Email and name parameters are case-sensitive.
- Once the attributes are changed correctly, the login issue will be resolved