Incoming SAML 2.0 Single Sign-On with Okta

Introduction

The main purpose of establishing a Single Sign On (SSO) process with Absorb is to allow your users a single point of entry into your system while providing them access to multiple other independent systems. With this process a user logs in with a single ID to gain access to a multitude of other systems without being prompted for different usernames and passwords.

This article discusses configuration of SSO using Okta. For the purposes of this article the Absorb system will act as the Service provider (SP). Your Okta account will act as the Identity Provider (IdP).

Please note that SSO is an additional feature that usually involves an additional fee and technical resources on the client side to develop and/or configure the solution.

Disclaimer: Absorb LMS supports Incoming SAML 2.0 Single Sign-On as a feature, however we do not officially support any specific client-side (IdP) solution. Although Okta is known to generally work with our implementation of SAML SSO, it is the client's responsibility to configure/develop and maintain their side of the integration. This will require a client resource who is knowledgeable and familiar with your Okta instance. This guide is provided to our clients as a convenience only, based on our experience working with clients who employ Okta.

Note: There is an AbsorbLMS app listed on the Okta Integration Network. This app may work for SSO setup, however, is not an official Absorb application and is not directly supported by Absorb.

Table of Contents


Instructions: Okta Setup

Note: To enlarge thumbnail images, right-click on picture and select "Open image in new tab."

Step Action Image
1. Log in to your Okta organization as a user with administrative privileges and click on the Admin button. OKTA_SSO_01.png
2. Click Applications. OKTA_SSO_02.png
3. Click Add Application. OKTA_SSO_03.png
4. Click Create New App. OKTA_SSO_04.png
5. Leave the platform as Web and change the Sign on method to SAML 2.0. OKTA_SSO_05.png
6. Give your application a descriptive name and optionally upload a logo, then click Next. OKTA_SSO_06.png
7. Fill in the Single Sign on URL with your Absorb ACS URL (generally speaking, this URL follows the format of https://company.myabsorb.com/api/rest/v2/authentication/saml). OKTA_SSO_07.png
8. Fill in the Audience URI with the Absorb URL you wish to use for SSO (e.g. https://company.myabsorb.com or your custom domain name). OKTA_SSO_07-1.png
9. Set the Application username field to the user profile field that Absorb should match (e.g. Email). This is what Absorb will check to determine if a user exists in the LMS. OKTA_SSO_07-2.png
10. You can map other attributes for account provisioning (also known as just-in-time provisioning), however this is outside the scope of this guide. Click Next.

An example provisioning setup is shown here, however for full details, see our SSO Account Provisioning article at https://support.absorblms.com/hc/en-us/articles/360014083294-Incoming-SAML-2-0-SSO-Account-Provisioning
OKTA_SSO_08.png
11. Select I'm an Okta customer adding an internal app. You may leave the rest of the fields blank, then click Finish. OKTA_SSO_09.png
12. Click the link to download the Identity Provider metadata. OKTA_SSO_10.png
13. Copy the value of the X509Certificate into your text editor of choice. OKTA_SSO_11.png
14. Remove any line breaks and/or white space in the encoded value, then set it aside for a later step OKTA_SSO_18.png
15. Find the URL listed as the SingleSignOnService Binding HTTP-POST. This is the value you will use as the Login URL if you choose Service Provider Initiated Mode. Okta15.png
16. Click on the General tab. OKTA_SSO_12.png
17. Make note of the Embed Link for use in a later step OKTA_SSO_13.png
18. Click on the Assignments tab. OKTA_SSO_14.png
19. Click Assign and assign the users or groups who you would like to have access to Absorb via your Okta SSO platform. OKTA_SSO_15.png

 

Instructions: Absorb Setup

Note: To enlarge thumbnail images, right-click on picture and select "Open image in new tab.

Step Action Image
1. Login to the Absorb admin portal as a System Admin and navigate to Portal Settings. From Portal Settings, there is a button in the right-side menu labelled Manage SSO Settings. If you can't see this button, please contact your Absorb Client Success Manager to discuss enabling the feature. OKTA_SSO_ABSORB_01.png
2. Click Add at the bottom of the page.
3.

Name the connection something descriptive. This name is only visible to admins.

  • Leave the Method as SAML
4. Paste the line break, white space-free X509Certificate you saved above into the Key field.
5.

Select the Mode you will be using. This will affect which Login URL you enter in Step 6.

We recommend selecting Service Provider Initiated when possible. This has two key benefits:
- LMS deep links will function as expected
- SSO can be used to access the mobile app

6.

Set the Id Property to the user profile field in Absorb that your Okta Application username should match (e.g. if you used "Email" in Okta, you should set this to "Email Address").

  • Leave Signature Type as Sha1
7.

Enter the Login URL, which will be different depending on which Mode you selected.

  • Service Provider Initiated Mode: Use the URL listed as the SingleSignOnService Binding HTTP-POST from Step 15 above.
  • Identity Provider Initiated Mode: Use the Embed Link from Step 17 above.

8.

 

Automatically Redirect - This setting only displays when Identity Provider Initiated Mode is selected. When turned on, this will redirect all users who navigate directly to the selected Route(s) to the Login URL. If not turned on, users will land on the portal's landing page.
Note: When Service Provider Initiated Mode is selected, this setting is hidden. All unauthenticated users who navigate to the selected Route or Routes will be authenticated through SSO.

9.

Assign which routes in your portal you would like to associate with this SSO configuration.

10. Save your configuration. OKTA_SSO_ABSORB_02.png

 

 

Was this article helpful?
0 out of 0 found this helpful