SSO: Okta

This article describes how to configure Okta as your workplace's single sign-on Identity Provider (IdP). This process involves making modifications to your Okta environment as well as your digital workplace. Once complete, users of your digital workplace will be able to sign in to it using their Okta credentials.

To follow this process, you must be able to add applications to your Okta environment and be a workplace administrator in your digital workplace.

Single logout (SLO) with Okta is not currently supported.

Sections in this article:

Configuring an Okta single sign-on application

Follow these steps to configure the Igloo application in Okta. This application will pass the attributes Email, FName, and LName. Additionally, it assumes that you are using the default Okta username format that corresponds to a user's email address.

  1. Go to your Okta portal.
  2. In the Admin Console, select Applications followed by Applications.
  3. Above the list of applications, select Browse App Catalog.
  4. In the Search text box, enter Igloo.
  5. From the list of application search results, select Igloo.
  6. On the Igloo application page, select Add.
  7. Configure the options on the General Settings tab as follows:
    • Application label: Enter a name for this application.
    • Login URL: Enter your digital workplace URL with /saml.digest appended to it (e.g., https://customercare.igloosoftware.com/saml.digest). 
    • Application Visibility: Select the options that follow your organization's best practices.
    • Browser plugin auto-submit: Select Automatically log in when user lands on login page (selected by default).
  8. Select Next.
  9. On the Sign-On Options tab, right-click View Setup Instructions and open the link in a new tab.
  10. On the Sign-On Options tab,  select Done to complete setting up the application.
  11. From the Setup Instructions tab that you opened in 9, copy the following values to use when configuring single sign-on in your digital workplace:  
    • IdP Login URL
    • Public Certificate

Configuring your digital workplace's single sign-on

  1. Go to your digital workplace and sign in.
  2. Select  Control Panel.
  3. Under Membership, select Sign In Settings.
  4. Select Configure SAML Authentication.
  5. Configure the settings as described in the Configuration settings table below.
  6. Select Save.
Setting Description
Connection Name Enter a name for this connection. If you configure Sign in Settings to Use SAML button on Sign in screen, this name will be displayed on the button.
IdP Login URL

Copy and paste the IdP Login URL URL from the Okta set-up instructions into this field.

IdP Logout URL Leave this field blank; single logout (SLO) with Okta is not supported.
Logout Response and Request HTTP Type Ignore this option; single logout (SLO) with Okta is not supported. 
Logout Final Redirect URL Enter the URL of the location you want to send users to when they log out. If left blank, users will be redirected to your digital workplace's homepage. 
Binding Type

Select POST.

Public Certificate

Copy and paste the Public Certificate from the Okta set-up instructions into this field. You will need to open the certificate file using a text editor.

Identity Provider

Select Okta.

Identifier Type

Select Email Address.

Email Attribute

Enter Email.

First Name Attribute

Enter FName

Last Name Attribute

Enter LName

Drift Time

Enter 5.

User creation on Sign in

Select how your digital workplace handles users who attempt to sign in when they have valid IdP credentials but are not members of the digital workplace.

Options include:

  • Create a new user in your site when they sign in (Users will be added to manage members on sign in)
  • Do not create new users when they sign in (Users not in manage members will be denied access)

When creating new users in your digital workplace this way, they will be created with the following details:

  • First Name (from First Name Path)
  • Last Name (from Last Name Path)
  • Email Address (from Email Path) 
  • CustomIdentifier (from Identifier Path if the Identifier Type is Custom Identifier) 
  • Membership to the All Members group.

If enabled, this option does not provide any additional user syncing functionality (e.g., additional fields, group membership, deprovisioning, etc.).

If your digital workplace uses the ILST to manage members, select Do not create new users when they sign in to avoid the creation of duplicate user accounts.

Sign in Settings

Select how users sign in to your workplace.

Options include:

  • Use SAML button on "Sign in" screen
  • Redirect all users to IdP

For setting up and testing the connection, it can be convenient to temporarily select Use SAML button on "Sign in" screen and then only switch to Redirect all users to IdP once you have confirmed that single sign-in is working correctly.

Configuration settings

Verifying that single sign-on is set up correctly

Adding a test user to the Igloo application in Okta

  1. In Okta, go to the Igloo application that you created.
  2. Select the Assignments tab.
  3. Select Assign, followed by Assign to People.
  4. In the search box on the assign popup, enter the user's name.
  5. Next to the user that you want to add, select Assign.
  6. When prompted to enter a User Name, leave it unchanged and select Save and Go Back.
  7. Select Done.

Adding the same test user as a member of your digital workplace

  1. Go to your digital workplace and sign in.
  2. Select  Control Panel.
  3. Under Membership, select Manage Members.
  4. Select Add Members.
  5. Add the user as follows:
    • First Name: Enter the first name of the user.
    • Last Name: Enter the last name of the user.
    • Email: Enter the user's email. This email address should match the user's username value in Okta.
    • Password: Enter a password for the user. This password is for Igloo Authentication. You are required to enter a value in this field even if you only intend to sign in. 
    • Confirm Password: Re-enter the user's Igloo Authentication password.
    • System Groups: Do not select any other groups to add the user to.
    • Regular Groups: Do not select any other groups to add the user to.
  6. Select Create Member.

Using the test user to sign in to your workplace with Okta

In a private browser window, go to your digital workplace. Depending on how you have configured SAML, you will either be redirected to your IdP or arrive at the Igloo Authentication page. For the latter case, in the upper right corner of the Sign-in box, select Use: {your connection's name} to go to your IdP.

While on your IdP's sign-in page, enter the credentials of your test user. If everything is configured correctly, you will be redirected back to your digital workplace and be signed in.

Troubleshooting issues

Incorrect IdP Login URL

If you see an Okta 404 Page Not Found" message after being redirected to your IdP, you may have entered an incorrect IdP Login URL on your digital workplace's SAML Configuration page. Confirm that the value you entered in this field matches the IdP Login URL in the Okta application you configured. You can find this value in Okta by selecting View Setup Instructions on the Sign On tab of the application.

Incorrect Login URL 

If after signing in, you are brought back to your digital workplace's domain with an Igloo support code showing, you may have entered the incorrect Login URL for your digital workplace in Okta. Verify that this value is your digital workplace's domain with /saml.digest appended to it. You can configure these values in Okta on the General tab of the application.

Public certificate issues

The following are issues that can occur with the public certificate:

  • Invalid format: On your digital workplace's SAML Configuration page, if you click Save and the page refreshes without your changes being saved, the Public Certificate may have an invalid format.
  • Expired or Mismatched: If after signing in, you are brought back to your digital workplace's sign in page with the message "An error has occurred. Please try again and, if that fails, contact support" the public certificate in Igloo does not match what Okta is expecting.

To resolve these issues, verify that the public certificate in your digital workplace matches that of your Okta application. You can find the current Public Certificate in Okta by selecting View Setup Instructions on the Sign On tab of the application.

Workplace membership

Not being a member of a digital workplace can result in the following:

  • If you successfully sign in to your IdP but get redirected to a page in your digital workplace that says "You do not have sufficient access to this area" and you don't have any navigation options, it's possible that the account you signed in with is not a member of the digital workplace but has been before.
  • If you successfully sign in to your IdP but get redirected to a page in your digital workplace that says "The user account was not found. Please contact an administrator", it's possible that you signed in with an account that is not or has even been a member the digital workplace.

In both cases, verify that the email associated with the account you are trying to sign in with is associated with an account in the workplace's member directory.

Not assigned to the application in Okta

If after entering your Okta credentials, you are redirected to an Okta page with the error "Sorry, you can't access { your application name} because you are not assigned this app in Okta", the account must be added to the application in Okta. You can configure who is assigned to the application in Okta on the Assignments tab of the application.

Additional resources