/
Okta SSO Configuration

Okta SSO Configuration

Preface

This document describes the base line configurations to setup an integration with our Identity Access Management System (IAM) and your Identity Provider (Okta). Note: Okta SSO is not supported for the SDI RQ zoom app.

Pre-requisites

Crucial Learning operator has enabled SSO for account
Account Owner - authorize users invitation / user-account creation; test SSO once configured
IT representative - configure SSO
Information exchange - forms with OIDC or SAML configuration values exchanged

Okta configuration

The following details pertain to our Production environment and will need a representative from Crucial Learning to enable the feature within your platform account.

 

  1. On the Okta Admin portal, choose Applications.

  2. At the top of the page, choose Create App Integration

  3. Select SAML 2.0

General Settings

  1. Fill out the General Settings as you require

    1. App Name: Core Strengths

    2. App logo: Provided via our design team

  2. Click Next

Configure SAML

  1. Single sign-on URL: https://core-cloud-prod.cognito.corestrengths.com/saml2/idpresponse

    1. Make sure Use this for Recipient URL and Destination URL is checked

  2. Audience URI (SP Entity ID): urn:amazon:cognito:sp:us-east-1_lEQznSWeV

  3. Name ID Format: Unspecified

  4. Application username: Email

Attribute Statements:

  1. Email

    1. Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

    2. Value: user.email

  2. Family Name

    1. Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/family_name

    2. Value: user.lastName

  3. Given Name

    1. Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/given_name

    2. Value: user.firstName

 

MetadataURI will be required for the next steps. You can find this value in the Active SAML Signing Certificates

  1. Click On the actions for the Active Signing Certificate and click View IdP metadata this will open a new tab with a url in the address bar, copy this url.

 SDI Platform configuration

Configuration within SDI Platform Account Settings: (Feature Flag SSO Enabled will need to be enabled [true] upon engagement)

https://app.corestrengths.com/%7BaccountID%7D/account/settings

  1. Click SSO Enabled

  2. Add (comma separated) email domains used within SSO workflows to the Email Identifiers input

    1. I.E: yourdomain.com,your.otherdomain.com

  3. For the email attribute mapping add http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

  4. Fill in MetadataURI with your given Issuer URL similar to:

    1. https://CUSTOM_DOMAIN.okta.com/app/REDACTED_ID/sso/saml/metadata

  5. Optionally Enable Single Sign-out workflows (SSOut)

    1. This allows session termination (logout) to call our IdP. When a user logs off of SDI Platform, the platform will request a best-effort “sign-out of all-applications” to your IdP.

  6. Now Click Save

 

Once an SDI Platform account has been configured for SSO, people can navigate to the login page directly without first proceeding to the platform. The Login URL field will be very similar to the following (replacing the identity_provider value with one provided to you by Crucial Learning)

This Hosted SSO Link (example above), specific for your organization, can be found on the AccountSettings page, under the SSO chunk. See below for an in-page location hint.

Additional Pages

CoreStrengths Platform SSO Account Onboarding
SSO Self-Service Onboarding