Preface
This document describes the base line configurations to setup an integration with our Identity Access Management System (IAM) and your Identity Provider (Okta).
Pre-requisites
- PSP Owner - enable
accounts.sso_enabled
- Account Owner - authorize
users
invitation / user-account creation; test SSO once configured - IT representative - configure SSO
- Information exchange - forms with OIDC or SAML configuration values exchanged
Okta configuration
The following details pertain to our Production environment and will need a representative from Core Strengths to enable the feature within your platform account.
On the Okta Admin portal, choose Applications.
At the top of the page, choose Create App Integration
Select SAML 2.0
General Settings
Fill out the General Settings as you require
App Name: Core Strengths
App logo: Provided via our design team
Click Next
Configure SAML
Single sign-on URL:
https://core-cloud-prod.cognito.corestrengths.com/saml2/idpresponse
Make sure Use this for Recipient URL and Destination URL is checked
Audience URI (SP Entity ID):
urn:amazon:cognito:sp:us-east-1_lEQznSWeV
Name ID Format:
Unspecified
Application username:
Email
Attribute Statements:
Email
Name:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Value:
user.email
Family Name
Name:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/family_name
Value:
user.lastName
Given Name
Name:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/given_name
Value:
user.firstName
MetadataURI will be required for the next steps. You can find this value in the Active SAML Signing Certificates
Click On the actions for the Active Signing Certificate and click
View IdP metadata
this will open a new tab with a url in the address bar, copy this url.
Core Strengths Platform configuration
Configuration within Core Strengths Account Settings: (Feature Flag SSO Enabled
will need to be enabled [true
] upon engagement)
https://app.corestrengths.com/%7BaccountID%7D/account/settings
Click SSO Enabled
Add (comma separated) email domains used within SSO workflows to the Email Identifiers input
I.E:
yourdomain.com,your.otherdomain.com
For the email attribute mapping add
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Fill in MetadataURI with your given Issuer URL similar to:
https://CUSTOM_DOMAIN.okta.com/app/REDACTED_ID/sso/saml/metadata
Optionally Enable Single Sign-out workflows (SSOut)
This allows session termination (logout) to call our IdP. When a user logs off of Core Strengths Platform, the platform will request a best-effort “sign-out of all-applications” to your IdP.
Now Click
Save
Once a CoreStrengths Platform account has been configured for SSO, people can navigate to the login page directly without first proceeding to the platform. The Login URL field will be very similar to the following (replacing the identity_provider
value with one provided to you by CoreStrengths)
This Hosted SSO Link
(example above), specific for your organization, can be found on the Account
→ Settings
page, under the SSO
chunk. See below for an in-page location hint.
Add label