Incoming SAML 2.0 Single Sign-On with Okta

Absorb LMS supports Incoming SAML 2.0 Single Sign-On as a feature, however we do not officially support any specific client-side (IdP) solution. Although Okta is known to generally work with our implementation of SAML SSO, it is the client's responsibility to configure/develop and maintain their side of the integration. This will require a client resource who is knowledgeable and familiar with your Okta instance. This guide is provided to our clients as a convenience only, based on our experience working with clients who employ Okta.

The main purpose of establishing a Single Sign-On (SSO) process with Absorb is to allow your Users a single point of entry into your system while providing them access to multiple other independent systems. With this process a User logs in with a single ID to gain access to a multitude of other systems without being prompted for different usernames and passwords.

This article discusses configuration of SSO using Okta. For the purposes of this article the Absorb system will act as the Service Provider (SP). Your Okta account will act as the Identity Provider (IdP).

Please note that SSO is an additional feature that usually involves an additional fee and technical resources on the client side to develop and/or configure the solution.

Instructions: Okta Setup

1. Log in to your Okta organization as a User with administrative privileges and click on the Admin button.
   
   
2. Click Applications.
   
   
3. Click Add Application.
   
   
4. Click Create New App.
   
   
5. Leave the platform as Web and change the Sign on method to SAML 2.0.
   
   
6. Give your application a descriptive name and optionally upload a logo, then click Next.
   
   
7. Fill in the Single Sign-on URL with your Absorb ACS URL (generally speaking, this URL follows the format of https://company.myabsorb.com/api/rest/v2/authentication/saml).
   
   
8. Fill in the Audience URI with the Absorb URL you wish to use for SSO (e.g. https://company.myabsorb.com or your custom domain name).
   
   
9. Set the Application username field to the user profile field that Absorb should match (e.g. Email). This is what Absorb will check to determine if a User exists in the LMS.
   
   
10. You can map other attributes for account provisioning (also known as just-in-time provisioning), however, this is outside the scope of this guide. Click Next.
    
    An example provisioning setup is shown here, however for full details, see our SSO Account Provisioning article here.
    
    
11. Select I'm an Okta customer adding an internal app. You may leave the rest of the fields blank, then click Finish.
    
    
12. Click the link to download the Identity Provider metadata.
    
    
13. Copy the value of the X509Certificate into your text editor of choice.
    
    
14. Remove any line breaks and/or white space in the encoded value, then set it aside for a later step.
    
    
15. Find the URL listed as the SingleSignOnService Binding HTTP-POST. This is the value you will use as the login URL if you choose Service Provider Initiated Mode.
    
    
16. Click on the General tab.
    
    
17. Make note of the Embed Link for use in a later step
    
    
18. Click on the Assignments tab.
    
    
19. Click Assign and assign the Users or Groups who you would like to have access to Absorb via your Okta SSO platform.
    
    

Instructions: Absorb Setup

1. Login to the Absorb Admin Experience as a System Admin and navigate to Portal Settings.
2. From Portal Settings, there is a button in the right-side menu labelled Manage SSO Settings.
   If you can't see this button, please contact your Absorb Client Success Manager to discuss enabling the feature.
   
   
3. Click Add at the bottom of the page.

4. Name the connection something descriptive. This name is only visible to Admins.

   • Leave the Method as SAML
5. Paste the line break, white space-free X509Certificate you saved above into the Key field.

6. Select the Mode you will be using. This will affect which Login URL you enter in Step 6.We recommend selecting Service Provider Initiated when possible. This has two key benefits:

   • LMS deep links will function as expected

   • SSO can be used to access the mobile app

7. Set the Id Property to the user profile field in Absorb that your Okta Application username should match (e.g. if you used "Email" in Okta, you should set this to "Email Address").

   • Leave Signature Type as Sha1

8. Enter the Login URL, which will be different depending on which mode you selected.

   • Service Provider Initiated Mode: Use the URL listed as the SingleSignOnService Binding HTTP-POST from Step 15 above.
   • Identity Provider Initiated Mode: Use the Embed Link from Step 17 above.
9. Automatically Redirect: This setting only displays when Identity Provider Initiated Mode is selected. When turned on, this will redirect all Users who navigate directly to the selected Route(s) to the Login URL. If not turned on, Users will land on the Portal's landing page.
10. Assign which Routes in your Portal you would like to associate with this SSO configuration.
11. Save your configuration.