Configure SSO with Okta

You can configure SSO with Okta to allow users to sign in to the digital workplace using Okta SSO credentials. When set up, users without an active workplace session will be redirected to the configured Okta SSO app's sign-in page to authenticate. However, users can still access the Igloo Authentication Login page by navigating to the URL of the digital workplace with /login appended to it. For example:

https://solutionsinc.igloo.igloodigitalworkplace.com/login

Considerations

  • Identity Provider-Initiated SSO: Igloo Flex's SSO only supports Service Provider-Initiated SSO, i.e., requests coming directly from the Igloo Flex digital workplace. Identity Provider-Initiated SSO is not supported. 
 

Who can do this?

  • Workplace administrators

Create your workplace's Assertion Consumer Service URL (ACS URL)

The ACS URL is the URL endpoint of your digital workplace that parses SAML assertions. This value is required when configuring an identity provider (IdP). The URL must be updated with the WorkplaceId and TenantId from your digital workplace to function correctly. 

https://apis.flex-live.net/flex/api/SamlAssertion?WorkplaceId=<GUID for the Workplace>&TenantId=<GUID for the Tenant>

To find your digital workplace's WorkplaceId and TenantId:

  1. Go to the home page of your digital workplace.
  2. Use your browser to view the page source (Ctrl+U / Command+Option+U).  
  3. While viewing the page source, search the page (Ctrl+F / Command+F) for WorkplaceId and copy its value down. 
  4. While still viewing the page source, search the page (Ctrl+F / Command+F) for TenantId and copy its value down. 

Insert the values you recorded into the above ACS URL to create your digital workplace's ACS URL. The resulting URL should look similar to this:

https://apis.flex-live.net/flex/api/SamlAssertion?WorkplaceId=0bf875d4-92f9-4b97-a81&TenantId=b23316cb-710e-4e65-a7e5-b626341525e0

Configure Okta and copy its metadata XML

The following instructions outline setting up a SAML 2.0 app for your digital workplace. To learn more about Okta's settings, refer to their Add app integrations documentation.

To set up an Okta SAML 2.0 app for your digital workplace:

  1. While in the Admin Console, select Applications, followed by Applications.
  2. Select Create App Integration.
  3. Select SAML 2.0 as the Sign-in method and then select Next.
  4. On the General Settings tab, enter your digital workplace's name as the App name. You can also configure an App logo and App visibility. However, they are not necessary. When you're done with the settings on this tab, select Next
  5. On the Configure SAML tab, there are many configuration options available. However, you only need to configure the following:
    • Single Sign-on URL: Enter the ACS URL that you created. If you have not yet created yours, see the above section Create your workplace's Assertion Consumer Service URL (ACS URL). Keep Use this for Recipient URL and Destination URL selected.

    • Audience URI (SP Entity ID): Enter the URL of your digital workplace. For example:

      https://solutionsinc.igloo.igloodigitalworkplace.com
    • Default RelayState: Leave blank.
    • Name ID format: Select Unspecified.
    • Application username: Select which Okta field to match to the Username field of your digital workplace. This field will typically be Okta username or Email, but it depends on how your organization uniquely identifies its users in Okta.

    • Update application username on: Select Create and update

      Caution

      This feature is not currently functioning. You should avoid selecting Update Now on the app's Sign On tab.

  6. Scroll to the bottom of the Configure SAML tab and select Next.
  7. On the Feedback tab, select I'm an Okta customer adding an internal app.
  8. (Optional) Answer the rest of the questions on the Feedback tab.
  9. Select Finish.
  10. Select the Assignments tab of your app
  11. Select Assign, followed by Assign to People or Assign to Groups.
  12. Select the people or groups that should use this app and then select Done.
  13. Select the Sign On tab of your app.
  14. Copy the Metadata URL. This URL is needed when you turn SAML SSO on in your digital workplace.

Turn SAML SSO on in your digital workplace

To turn SAML SSO on in your digital workplace:

  1. On the Top Bar, select Admin Settings.
  2. Under Settings in the left side panel, select Login Settings.
  3. Select Enable SAML SSO to toggle it on.
  4. Paste the Metadata URL you copied from your IdP into the SAML configuration field.
  5. (Optional) Turn on Forced Authentication if you require users to re-authenticate every time they visit the digital workplace, even if they have a valid SSO session active. 
  6. Select Update settings. If the Update settings button doesn't turn grey after you select it, the value you've copied into the SAML configuration field is incorrect and will not be saved.

Troubleshooting

Error upon login: Object reference not set to an instance of an object.

The user is not a member of the digital workplace, or no user in the digital workplace has a username that matches the value being passed by the IdP.

Error upon login: Signature is invalid.

The ACS URL that you entered into the Okta app is incorrect.

Okta 403 App Not Assigned

The user is not assigned to the Okta app.

Related to