Set up SSO with Okta

This topic walks you through how to set up Single Sign-On (SSO) between the Alida platform and Okta.

Note:
  • In some cases, users may be prevented from signing in with their email and password. This occurs if the feature "SAML authentication" is enabled on your application instance, and it only affects new users created after the feature was enabled.

    If "SAML authentication" is enabled a flag is displayed at the top of the SSO Settings page.

    You can view the affected users by selecting Product Settings > Manage Users in the navigation bar. The SSO column displays a flag for users that are restricted to SAML SSO login.

    If the SSO column is not included in the Manage Users table, no users are affected.

  • To set up auto-provisioning using a System for Cross-Domain Identity Management (SCIM), please contact Alida Technical Support or your Customer Success Manager.

Create an Okta application

In this part of the workflow, you are creating the application tile that SSO users will click to access the Alida platform.

  1. Log in to Okta.
  2. Select Applications > Applications.
  3. Click Create App Integration.
  4. Select SAML 2.0, then click Next.
  5. Enter a name for the application (for example, Alida), which will be the label on the SSO tile, then click Next.
  6. Under Single sign-on URL and Audience URI (SP Entity ID), enter any initial value (for example, http://tbd.com and tbd), then click Next.
  7. Select This is an internal app that we have created, then click Finish.

Start your Okta application configuration

After you create the application tile, you need to copy specific configuration values. You'll enter these values into Alida's SSO Setup page later.

  1. Select Applications > Applications.
  2. Open your application (for example, Alida).
  3. From the Sign On tab, click View SAML setup instructions.
  4. Copy the Identity Provider Issuer and store it for later use.
  5. Copy the X.509 Certificate and store it for later use.

    Click the screenshot below to view a larger version.

Install Okta SSO on a community

Enter the Okta configuration values into Alida's SSO Setup page.

  1. Sign in to the Alida platform and switch to the desired community.
  2. Ensure that there's a user who matches the email of a potential SSO user (for example, bob.smith@example.com).

    This user must be part of the domain you added. This user must also be a user in the Alida community.

    For more information about adding new users to a community, see Add a user.

  3. Open Product Settings > SSO > Setup.
  4. In the Identity Provider drop-down list, select Okta.
  5. Under Identity Provider Issuer, enter the Identity Provider Issuer you copied earlier.
  6. Under X.509 Certificate, enter the X.509 certificate you copied earlier.
  7. Under Unique ID claim, enter userId.
  8. Under Email claim, enter email.
  9. Click Save.
  10. Copy the Single Sign-On URL and store it for later use.
  11. Copy the Audience Entity ID and store it for later use.

    Click the screenshot below to view a larger version.

Add and verify a domain

Add the registered domain that your company owns and that you use for employees' email addresses.

  1. Open Product Settings > SSO > Domains.
  2. In the Add new domain field, type the domain value, select the Type (CNAME or TXT), and click Add Domain.
    For example, if a potential SSO user's email is bob.smith@example.com, you'd type example.com.
  3. From that domain's action menu, select Verify.
    Result:

    The domain's status changes to Verified.

  4. Keep the browser tab that has the Alida Domains page open. Open a new browser tab to access your DNS server.
  5. Add the Prefix Key, Target Key, and TXT Lookup Key values from the Domains page to your DNS server.
    • Add the Prefix Key and Target Key values as CNAME type.
    • Add the TXT Lookup Key as TXT type.
    • Append the domain to the end of the value strings.
    Example

  6. On the Alida Domains page, click Apply.
    Result: The domain status changes from Verified to Active.

Complete your Okta application configuration

  1. Log in to Okta.
  2. Select Applications > Applications.
  3. Open your application (for example, Alida).
  4. From the General tab, click SAML Settings > Edit.
  5. Click Next.
  6. Under Single sign-on URL, enter the Single Sign-On URL you copied earlier.
  7. Under Audience URI (SP Entity ID), enter the Audience Entity ID you copied earlier.
  8. Under Attribute Statements, add the following two attributes:
    • userId with value user.id
    • email with value user.email
  9. Click Next, then Finish.

Add a user to the Okta application

In order for SSO to work, the same user must exist in Okta (with the Alida application associated to that user) and in the Alida platform.

  1. Do one of the following:
    • Find and click the user you want to add (for example, bob.smith@example.com).
    • Add a new user.
      1. Select Directory > People.
      2. Click Add person.
      3. Enter:
        • First name: Any string.
        • Last name: Any string.
        • Primary email: A brand new email with the domain you added earlier.
        • Username: Any string, but copying Primary email is recommended for uniqueness.
      4. Click Save.
      5. Refresh the page.
      6. Click the user you added.
  2. Click Assign Applications.
  3. Click Assign next to your application.
  4. Click Save and Go Back, then Done.

Verify SSO login

  1. Ask the user you added (for example, bob.smith@example.com) to log in to Okta using their credentials.
  2. The user clicks Okta apps > My end user dashboard.
  3. The user clicks the application's tile (for example, Alida).
    Result: The community opens or they are able to switch to it.