Who is this article for?

Client Administrators looking to learn more about OKTA as an identity provider.

Administrator permissions are required.

In this article, we will explore the process of configuring OKTA as an Identity Provider using the Security Assertion Markup Language (SAML). Through step-by-step instructions and insights into SAML-based authentication, readers will learn how to harness OKTA's robust capabilities for secure and seamless access management.

Note: For OKTA's own documentation on this subject visit: Build a Single Sign-On (SSO) integration | Okta Developer

1. Setting up OKTA as an Identity Provider
   1. Within Ideagen Workplace Training
   2. Within OKTA
2. Considerations
3. Customising login link

1. Setting up OKTA as an Identity Provider

1.1 Within Ideagen Workplace Training

Important: All operations below require Client Administrator permissions.

1. Select Management System.
2. Select Company from the left hand navigation menu.
3. Select the Security panel.
4. Under SAML Single Sign-on Status, select On and click Save Changes.
5. Select Generate SAML Metadata and save to a location on your computer.

Note: This is an .xml file you will need in a later step (by default this is named WORKRITE_METADATA.xml).

1.2 Within OKTA

1. Create new application.
2. Select Web as the platform, and SAML 2.0 as the Sign on method.

3. Click Create to proceed to Configure SAML.
4. Open the metadata xml file downloaded in the earlier step (by default this is named WORKRITE_METADATA.xml).
5. Populate Single Sign On URL with the Location value, within the AssertionConsumerService element:

6. Populate the Audience URI (SP Entity ID) with the EntityID value within the EntityDescriptor element:

7. Select Email Address as the Name ID Format.
8. Select OKTA Username as the Application Username.
9. Click Show Advanced Settings.
10. Change the option for Assertion Signature to Unsigned.
11. The highlighted areas of the form are shown below with the correct values:

12. Click Next at the bottom of the form to proceed.
13. Click Finish on the next page to return to the application settings page.
14. Click View Setup Instructions. This will open a new window.

15. Copy the Identity Provider Single Sign-On URL.

16. Paste into the Ideagen Workplace Training security panel field: Identiy Provider URL (For SP-Initiated Redirect) and click Save Changes.

17. Back in OKTA, copy the X509 Certificate, including the "-------BEGIN CERTIFICATE------" and "-------END CERTIFICATE-------".

18. In the security panel, click Update Your X509 Certificate button, paste into the text field that displays and click Save Changes.

2. Considerations

• Users must be assigned to the application to enable their sign-in capability.
• You have the option to utilise either the IdP URL provided by Okta or the SP URL provided by Ideagen Workplace Training for application sign-in.
• To access the application, a user must be registered in Ideagen Workplace Training with a corresponding Okta username.

3. Customising login link

1. Ideagen Workplace Training's automatic emails, including reminders and scheduled notifications, always contain a default login button/link.

2. By default, this link directs users to the standard login page.
3. There is an option to customize this link to direct users to log in via OKTA's Single Sign-On (SSO) instead.
4. To make this change, update the corresponding field in the email settings with the OKTA SSO login link.
5. When users click the login button in emails from Ideagen Workplace Training, they will be directed to log in via OKTA.

6. If there is a need to undo this change, it can be done by navigating to the management system, selecting Company, and then Email settings.