Incoming SAML 2.0 Single Sign-On with Okta

Follow

Introduction

The main purpose of establishing a Single Sign On (SSO) process with Absorb is to allow your users a single point of entry into your system while providing them access to multiple other independent systems. With this process a user logs in with a single ID to gain access to a multitude of other systems without being prompted for different usernames and passwords.

This article discusses configuration of SSO using Okta. For the purposes of this article the Absorb system will act as the Service provider (SP). Your Okta account will act as the Identity Provider (IdP).

Please note that SSO is an additional feature that usually involves an additional fee and technical resources on the client side to develop and/or configure the solution.

Disclaimer: Absorb LMS supports Incoming SAML 2.0 Single Sign-On as a feature, however we do not officially support any specific client-side (IdP) solution. Although Okta is known to generally work with our implementation of SAML SSO, it is the client's responsibility to configure/develop and maintain their side of the integration. This will require a client resource who is knowledgeable and familiar with your Okta instance. This guide is provided to our clients as a convenience only, based on our experience working with clients who employ Okta.

Note: There is an AbsorbLMS app listed on the Okta Integration Network. This app may work for SSO setup, however, is not an official Absorb application and is not directly supported by Absorb.

Table of Contents


Instructions: Okta Setup

Note: To enlarge thumbnail images, right-click on picture and select "Open image in new tab."

Step Action Image
1. Log in to your Okta organization as a user with administrative privileges and click on the Admin button. OKTA_SSO_01.png
2. Click Applications. OKTA_SSO_02.png
3. Click Add Application. OKTA_SSO_03.png
4. Click Create New App. OKTA_SSO_04.png
5. Leave the platform as Web and change the Sign on method to SAML 2.0. OKTA_SSO_05.png
6. Give your application a descriptive name and optionally upload a logo, then click Next. OKTA_SSO_06.png
7. Fill in the Single Sign on URL with your Absorb ACS URL (generally speaking, this URL follows the format of https://company.myabsorb.com/api/rest/v2/authentication/saml). OKTA_SSO_07.png
8. Fill in the Audience URI with the Absorb URL you wish to use for SSO (e.g. https://company.myabsorb.com or your custom domain name). OKTA_SSO_07-1.png
9. Set the Application username field to the user profile field that Absorb should match (e.g. Email). This is what Absorb will check to determine if a user exists in the LMS. OKTA_SSO_07-2.png
10. You can map other attributes for account provisioning (also known as just-in-time provisioning), however this is outside the scope of this guide. Click Next.

An example provisioning setup is shown here, however for full details, see our SSO Account Provisioning article at https://support.absorblms.com/hc/en-us/articles/360014083294-Incoming-SAML-2-0-SSO-Account-Provisioning
OKTA_SSO_08.png
11. Select I'm an Okta customer adding an internal app. You may leave the rest of the fields blank, then click Finish. OKTA_SSO_09.png
12. Click the link to download the Identity Provider metadata. OKTA_SSO_10.png
13. Copy the value of the X509Certificate into your text editor of choice. OKTA_SSO_11.png
14. Remove any line breaks and/or white space in the encoded value, then set it aside for a later step OKTA_SSO_18.png
15. Click on the General tab. OKTA_SSO_12.png
16. Make note of the Embed Link for use in a later step OKTA_SSO_13.png
17. Click on the Assignments tab. OKTA_SSO_14.png
18. Click Assign and assign the users or groups who you would like to have access to Absorb via your Okta SSO platform. OKTA_SSO_15.png

 

Instructions: Absorb Setup

Note: To enlarge thumbnail images, right-click on picture and select "Open image in new tab.

Step Action Image
1. Login to the Absorb admin portal as a System Admin and navigate to Portal Settings. From Portal Settings, there is a button in the right-side menu labelled Manage SSO Settings. If you can't see this button, please contact your Absorb Client Success Manager to discuss enabling the feature. OKTA_SSO_ABSORB_01.png
2. Click Add at the bottom of the page.
3.

Name the connection something descriptive. This name is only visible to admins.

  • Leave the Method as SAML
4. Paste the line break, white space-free X509Certificate you saved above into the Key field.
5.

Set the Id Property to the user profile field in Absorb that your Okta Application username should match (e.g. if you used "Email" in Okta, you should set this to "Email Address").

  • Leave Signature Type as Sha1
6. Set the Login URL to the Embed Link you saved above.
7. Set Automatically Redirect as desired.
  • If enabled, unauthenticated users will be redirected to the Okta login screen as soon as they land on your Absorb URL.
  • If disabled, unauthenticated users will see your public dashboard.

8.

 

Assign which routes in your portal you would like to associate with this SSO configuration.
9. Save your configuration. OKTA_SSO_ABSORB_02.png

 

 

Published on
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.