Overview
Identity providers (IdPs) are used to manage user’s digital identities within an organization. Okta is a popular Security Assertion Markup Language (SAML) IdP that provides user authentication services and single sign-on (SSO) to software services like TraceGains.
This article covers the steps needed to configure Okta as an SSO in TraceGains. When done correctly, users will be able to log in to TraceGains using Okta credentials.
Features
TraceGains supports:
- Single Sign-On
- Single Logout
- JIT provisioning
Configuration Steps
1. Enable single sign-on using Okta General Settings
The following steps assume you are logged into both a TraceGains admin account and an Okta admin account in separate browser tabs.
Step 1: In your TraceGains site, Click the Configuration Icon on the top-right.
Step 2: Click Single Sign-On in the left panel, under Access.
Step 3: Click New Custom.
Step 4: Type a description for the IdP, for example: Okta SSO.
Step 5: In your Okta admin account, click Applications
Step 6: Click Add Application.
Step 7: Click Create App Integration.
Step 8: Select SAML 2.0 in the pop-up menu. Click Next.
Step 9: Type TraceGains into the App name field in General Settings. Click Next.
Step 10: In your TraceGains settings, click the clipboard icon to copy the SSO ACS (Consumer) URL.
Step 11: In Okta, paste the URL in the Single sign on URL field.
Step 12: Paste the same URL in the Audience URI (SP Entity ID) field.
2. SAML Setup
Step 13: In Okta, click View SAML setup instructions on the right of the screen.
This screen provides the certification information needed to configure TraceGains within Okta.
Step 14: In Okta, copy the Login URL/SignOn URL
Step 15: In TraceGains, click back to the IdP-Initiated SSO tab.
Step 16: Paste the URL in the SSO Endpoint (HTTP) field.
Step 17: In Okta, copy the IDP Issuer/Entity ID URL.
Step 18: In TraceGains, paste the URL in the Issuer ID or URL field.
Ensure that the URLs from steps 14-17 are pasted in the correct fields. (See Image)
Step 19: If desired, locate and paste the SLO Endpoint in TraceGains.
Step 20: In Okta, copy the X.509 certificate.
Step 21: In TraceGains, paste the X.509 certificate in the X.509 Certificate (Base-64 encoded) field.
Step 22: Click Save.
Just-In-Time (JIT) Provisioning
Just-in-time (JIT) provisioning is a method of creating user accounts in an application like TraceGains when a user tries to access the application for the first time using Single Sign-On (SSO). Instead of creating new user accounts manually, JIT provisioning creates new user accounts instantly, as needed. While establishing JIT is optional, it does require the preliminary step of configuring the required SCIM attributes in Okta.
Add SCIM Attribute Statements to Okta
This section assumes you have both the Okta configuration and TraceGains SSO Configuration pages open in separate tabs. Refer to the Required SCIM Attributes within the Just-in-Time Provisioning tab in the active TraceGains New Custom Identity Provider settings.
Step 1: Copy attributes from the SCIM Attributes table in TraceGains.
Step 2: Paste the attribute names in the Name column in Okta configuration in the Attribute Statements section.
Step 3: Copy the exact value from the Expected Value column in TraceGains corresponding to the id and externalid attributes and paste those values in the Okta Attribute Statements Value column.
Step 4: In the same section in Okta map the SCIM attributes to the variables in Okta that hold the user’s email, first name, last name, and user role. Note: the user role name in Okta must match the role name in TraceGains.
Step 5: In Okta, click Next.
Step 6: Click Finish.
JIT provisioning should now be established.
Further reading
For information about custom IdP configurations, refer to this article.