Incoming SAML 2.0 Single Sign-On with Okta

Absorb LMS supports Incoming SAML 2.0 Single Sign-On as a feature, however we do not officially support any specific client-side (IdP) solution. Although Okta is known to generally work with our implementation of SAML SSO, it is the client's responsibility to configure/develop and maintain their side of the integration. This will require a client resource who is knowledgeable and familiar with your Okta instance. This guide is provided to our clients as a convenience only, based on our experience working with clients who employ Okta.

The main purpose of establishing a Single Sign-On (SSO) process with Absorb is to allow your Users a single point of entry into your system while providing them access to multiple other independent systems. With this process a User logs in with a single ID to gain access to a multitude of other systems without being prompted for different usernames and passwords.

This article discusses configuration of SSO using Okta. For the purposes of this article the Absorb system will act as the Service Provider (SP). Your Okta account will act as the Identity Provider (IdP).

Please note that SSO is an additional feature that usually involves an additional fee and technical resources on the client side to develop and/or configure the solution.

Okta Application Note

There is an Absorb LMS app listed on the Okta Integration Network. This app may work for SSO setup, however, is not an official Absorb application and is not directly supported by Absorb.


Instructions: Okta Setup

Image Zoom

To enlarge thumbnail images, either hover over the image to zoom in, or right-click on a picture and select "Open image in new tab."

  1. Log in to your Okta organization as a User with administrative privileges and click on the Admin button.
    OKTA_SSO_01.png
  2. Click Applications.
    OKTA_SSO_02.png
  3. Click Add Application.
    OKTA_SSO_03.png
  4. Click Create New App.
    OKTA_SSO_04.png
  5. Leave the platform as Web and change the Sign on method to SAML 2.0.
    OKTA_SSO_05.png
  6. Give your application a descriptive name and optionally upload a logo, then click Next.
    OKTA_SSO_06.png
  7. Fill in the Single Sign-on URL with your Absorb ACS URL (generally speaking, this URL follows the format of https://company.myabsorb.com/api/rest/v2/authentication/saml).
    OKTA_SSO_07.png
  8. Fill in the Audience URI with the Absorb URL you wish to use for SSO (e.g. https://company.myabsorb.com or your custom domain name).
    OKTA_SSO_07-1.png
  9. Set the Application username field to the user profile field that Absorb should match (e.g. Email). This is what Absorb will check to determine if a User exists in the LMS.
    OKTA_SSO_07-2.png
  10. You can map other attributes for account provisioning (also known as just-in-time provisioning), however, this is outside the scope of this guide. Click Next.

    An example provisioning setup is shown here, however for full details, see our SSO Account Provisioning article here.
    OKTA_SSO_08.png
  11. Select I'm an Okta customer adding an internal app. You may leave the rest of the fields blank, then click Finish.
    OKTA_SSO_09.png
  12. Click the link to download the Identity Provider metadata.
    OKTA_SSO_10.png
  13. Copy the value of the X509Certificate into your text editor of choice.
    OKTA_SSO_11.png
  14. Remove any line breaks and/or white space in the encoded value, then set it aside for a later step.
    OKTA_SSO_18.png
  15. Find the URL listed as the SingleSignOnService Binding HTTP-POST. This is the value you will use as the login URL if you choose Service Provider Initiated Mode.
    Okta15.png
  16. Click on the General tab.
    OKTA_SSO_12.png
  17. Make note of the Embed Link for use in a later step
    OKTA_SSO_13.png
  18. Click on the Assignments tab.
    OKTA_SSO_14.png
  19. Click Assign and assign the Users or Groups who you would like to have access to Absorb via your Okta SSO platform.
    OKTA_SSO_15.png

Instructions: Absorb Setup

Image Zoom

To enlarge thumbnail images, either hover over the image to zoom in, or right-click on a picture and select "Open image in new tab."

  1. Login to the Absorb Admin Experience as a System Admin and navigate to Portal Settings.
  2. From Portal Settings, there is a button in the right-side menu labelled Manage SSO Settings.
    If you can't see this button, please contact your Absorb Client Success Manager to discuss enabling the feature.
    OKTA_SSO_ABSORB_01.png
  3. Click Add at the bottom of the page.
  4. Name the connection something descriptive. This name is only visible to Admins.

    • Leave the Method as SAML
  5. Paste the line break, white space-free X509Certificate you saved above into the Key field.
  6. Select the Mode you will be using. This will affect which Login URL you enter in Step 6.We recommend selecting Service Provider Initiated when possible. This has two key benefits:

    • LMS deep links will function as expected
    • SSO can be used to access the mobile app

  7. Set the Id Property to the user profile field in Absorb that your Okta Application username should match (e.g. if you used "Email" in Okta, you should set this to "Email Address").

    • Leave Signature Type as Sha1
  8. Enter the Login URL, which will be different depending on which mode you selected.

    • Service Provider Initiated Mode: Use the URL listed as the SingleSignOnService Binding HTTP-POST from Step 15 above.
    • Identity Provider Initiated Mode: Use the Embed Link from Step 17 above.
  9. Automatically Redirect: This setting only displays when Identity Provider Initiated Mode is selected. When turned on, this will redirect all Users who navigate directly to the selected Route(s) to the Login URL. If not turned on, Users will land on the Portal's landing page.
  10. Assign which Routes in your Portal you would like to associate with this SSO configuration.
  11. Save your configuration.
    OKTA_SSO_ABSORB_02.png

 

Service Provider Initiated Note

When Service Provider Initiated Mode is selected, the Automatically Redirect setting is hidden. All unauthenticated users who navigate to the selected Route or Routes will be authenticated through SSO.

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.