PART I : CENTRALIZED AUTHENTICATION

SSO : SINGLE SIGN-ON

Single Sign-On (SSO) lets a user connect only once to a service and reuse the same credentials to connect to other services.
Most known example: Facebook. I have a Facebook account with credentials (id + password). I can reuse them to connect to other websites or apps. I don't have to memorize multiple passwords, only one does the job.

SSO : STEEPLE / OKTA

IMPORTANT: Okta does not authorize provisioning setup until SSO is configured. Neither Steeple.

Here is a detailed guide regarding the SSO setup between Steeple and Okta. Applications must "talk" to each other. You must set up Steeple side and Okta side.

First of all, you need to create a "Steeple" (or whatever name you choose) application into your Okta directory. Please configure like so:



Okta Overview > Applications > Add Application > Create New App

Click on "Create New App" to create the application:
Platform : Web
Sign on method : SAML 2.0





After validation, you must configure SAML 2.0:

Click on "Next". You will be redirected to the SAML 2.0 configuration interface.
However, before that, you have to provide yourself the necessary URLs. You can find them in Steeple:

Administration > Settings > Configure access methods

Méthodes d’accès > Choose other access method > Single Sign-On

Click on « SSO configuration », and confirm

SSO setup on Steeple:

SSO connection button can be configured. If no button name provided, "Login via SSO" will be displayed by default.



You can also configure reserved domains, ex: @steeple.fr.
You must configure it otherwise your collaborators will still have the possibility to log with their old password.

Mandatory configuration for mother/daughters communities or grand-daughters :

You must associate the Okta groups corresponding to your daughter communities in the Steeple interface:



Regarding Okta, you only need to enter the group's name and replace the spaces by underscores (_).
This step is crucial to make Steeple SSO working correctly with your different communities.


The rest of the configuration is made up of several "round trips" between the Steeple and Okta interfaces:

Access Steeple's "metadata". It is a set of URLs that you have to enter in Okta in the corresponding fields.




The fields are defined in Steeple and Okta. You must copy these URLs and paste them in the associated fields in Okta.


You also have to modify the "Name ID format" field and pick EmailAddress in the dropdown list:




The next step is the "mapping" (see screenshot below). Please make sure to respect the screenshot's fields and the naming.




Below screenshot describes the last step for mother/daughters communities or grand-daughters :




Click on Next

Okta will ask for feedbacks (probably for internal stats); Please choose « I'm a software vendor. I'd like to integrate my app with Okta » and click on « Finish ».

You now need to collect Okta's metadata in the form of a link, in a yellow insert "SAML 2.0". Tips for obtaining this link:

1) Right click on the link "Identity Provider metadata" --> "Copy link address"
2) Click on the "Identity Provider metadata". This will open a new tab with an XML file. Then, copy the address present in the search bar.

Paste the link in the appropriate field on Steeple and click on "Import metadata".

Directory metadata (Identity Provider) > Identity Provider



Validate SSO configuration.



PART II : DIRECTORIES AUTOMATIC SYNCHRONIZATION

Provisioning (SCIM)

« Provisioning » is about the directories synchronization. For example, Okta is a directory. Other words are used like "identity providers"

Typical provisioning behaviors examples:
A user is assigned to the Steeple app in Okta : he is retrieved or created in Steeple.
A user is removed from a group/unassigned from the application/deactivated in Okta : he will be removed from Steeple as well.

Provisioning is a powerful tool which avoids some time-consuming activities for community administrators, of which identity management is a part.

What is SCIM? :
SCIM is a protocole to follow as part of the development of such a feature. For this to work well, you must comply with this protocol.

PROVISIONING : STEEPLE / OKTA

REMINDER : it is crucial to have the SSO set up before configuring provisioning. Neither Okta's configuration or Steeple's allows it.

In Steeple :

Access methods > Provisioning > « Provisioning (SCIM) Configuration »

Click on configure. This validation will generate two necessary parameters to configure provisioning : tenant URL and Secret Token:



In Okta :

Okta App Overview > General > App Settings > Edit

In the general parameters, provisioning is not activated by default. You must do it manually and click Save.



Now, a Provisioning tab will be displayed next to "Sign On". Click on "Provisioning".


Then click on Edit to update Okta's provisioning integration.

This step is simple:

1- In Steeple: copy the tenant URL and paste it in the Okta's field "SCIM connector base URL"
2- In Okta, fill the "Unique Identifier Field for users" field with UserName
3- Check all the boxes
4- In the dropdown list "Authentication Mode", select HTTP Header
5- In Steeple: copy the secret token and past it in Okta's field "Authorization"
6- Save



Don't forget to test the connection by clicking on "Test Connector Configuration". This will test every action checked before by sending a request to Steeple's server to verify the connection is well established between the two applications.

In Okta :

App Okta Overview > Provisioning > Settings > To App > Edit :



To retrieve or create profiles in Steeple, you must assign users to your application in Okta after provisioning set up. This is the way Okta works.

App Overview > Assignments > Assign > Assign to People (ou Groups)






Once this final step is done, a list of profiles is imported in Steeple. Actions are operated immediately.

As an administrator, you can remove this configuration and go back to a classic authentication method (e-mail and password).

To do so:

Settings > Configure access methods > Single Sign-On > Danger Zone > Remove this access method and go back to classic method:

Was this article helpful?
Cancel
Thank you!