This guide provides the steps required to configure Okta SSO and Provisioning for ConveyIQ. It includes the following sections:
- Configuration Steps
The following provisioning features are supported:
- Push New Users
New users created through Okta will also be created in ConveyIQ.
- Push Profile Updates
Updates made to the user’s profile through OKTA will be pushed to ConveyIQ. ConveyIQ exposes updates of these user attributes: Username, First Name, Last Name, Primary email.
- Push User Deactivation
Deactivating the user or unassigning the user from the application through OKTA will deactivate the user in ConveyIQ.
- Reactivating Users
Reactivating the user or reassigning the user to the application through OKTA will reactivate the user in ConveyIQ.
The following SSO features are supported:
- Sign In to ConveyIQ from Okta
Clicking the ConveyIQ application from the Okta ‘My Apps’ page user will be automatically authenticated to ConveyIQ.
- Sign In from ConveyIQ Sign In Page
By providing the email address on the ConveyIQ Sign In page the user will be redirected to Okta SSO and signed in to ConveyIQ.
- Sign Out from ConveyIQ
Users can sign out from the ConveyIQ application without being signed out from Okta.
Users can sign out from Okta without being signed out from ConveyIQ.
Connecting ConveyIQ to Okta requires configuring two applications in the Okta Administration Console. The first application is manually configured and uses OpenID Connect to authenticate users to the ConveyIQ service. The second application is available as ConveyIQ SCIM Provisioning in the Okta Integration Network (OIN). After the applications are created they need to be assigned to a User Group in Okta. Once all is set, the last step is to Configure the OpenID Connector by submitting credentials through a self-service flow provided by ConveyIQ.
Note: Step-by-step configurations instructions provided in the next chapter.
- Create OpenID Connect ConveyIQ Application in the Okta Administrative Console
- Add the ConveyIQ SCIM Provisioning Application in the Okta Integration Network
- Configure the OpenID Connector in the ConveyIQ Application
- Create ConveyIQ Group in Okta
The following steps need to be completed to enable Okta SSO and Provisioning with ConveyIQ:
STEP 1: Create the OpenID Connect ConveyIQ Application in the Okta Administrative Console
a. Sign in to the Okta Administration Dashboard, then choose Add Application.
b. In the Create New Application dialog box choose OpenID Connect and click Create.
c. Name the application ConveyIQ by Entelo.
d. Uploading of the logo is optional, reach out to Entelo support at email@example.com for the image, if not already provided.
e.In the Login redirect, URIs field enter: https://identity-provider.na.conveyiq.com/session/oidc/authorization_code
f. In the Logout redirect, URIs field enter: https://identity-provider.na.conveyiq.com/session/sign_in
g. Click Save.
h. Keep the General Setting tab open and click Edit.
i. Under the Allowed grant types section select these 3 checkboxes:
i. Authorization Code
ii. Refresh Token
iii. Implicit (Hybrid)
*** Leave Allow ID token with implicit grant type option checked
j. Under the Login Initiated by section select the Either Okta or App option.
k. Under the Application Visibility section select 3 checkboxes:
i. Display application icon to users
ii. Display application icon in the Okta Mobile App
l. In the Initiate login, URI field enter: https://identity-provider.na.conveyiq.com/session/sign_in
m. Click Save.
Note: Leave the page open because you will need the Client ID and Client Secret for step 2. below.
STEP 2: Configure the OpenID Connector in the ConveyIQ Application
a. In coordination with your Entelo Customer Success Manager, you should have received an email with subject ConveyIQ - OpenID Connect Configuration.
Note: If you have not received an email yet, please reach out to your Entelo Customer Success Manager contact or the support team at firstname.lastname@example.org.
b. In the email click the link Configuration URL.
c. On the Configuration step enter the:
ii. Client ID
iii. Client Secret
Note: The Domain is your Okta Domain for example if your Okta URL is “https://acme.okta.com/” then your domain is “acme.okta.com”. The Client ID and Secret can be found on the General Settings of the ConveyIQ by Entelo application created in step 1.
d. Click Update.
STEP 3: Add the ConveyIQ SCIM Provisioning Application in the Okta Integration Network
a. In the Okta Administration Console choose Applications.
b. Click Add Application.
c. Search for "ConveyIQ by Entelo"
d. Click Add.
e. In the General Settings step under the Application Visibility make sure to check the following checkboxes:
i. Do not display the application icon to users
ii. Do not display the application icon in the Okta Mobile App
f. Click Done.
g. On the Provisioning tab click Configure API Integration.
h. Select Enable API Integrationf. Click Done.
i. In the Base URL field paste this URL: https://identity-provider.na.conveyiq.com/scim/v2
j. In the Username field paste the Client ID from the OpenID Connect application from step 1.n above.
k. In the Password field paste the Client Secret the OpenID Connect application from step 1.n above.
l. Click Test API Credentials
m. If the test result is positive, click Save.
n. Make sure after page reload that you are still on the Provisioning Tab > Setting > To App section
o. Click Edit next to 'Provisioning to App'
p. Check the Enable check boxes for:
i. Create Users
ii. Update User Attributes
iii. Deactivate Users
q. Click Save
STEP 4: Create ConveyIQ Group in Okta
a. In the Okta Administration Console choose Directory Groups.
b. Click Add Group.
c. Enter Group Name (example): ConveyIQ.
d. Enter Group Description (example): Users assigned to ConveyIQ.
e. Click Add Group.
f. Click the Group to open the group details.
g. Click Manage Apps.
h. Assign the ConveyIQ SCIM Provisioning application.
i. Skip the Extra Info and click Save and Go Back.
j. Assign the ConveyIQ by Entelo application.
k. Click Done.
l. Click Manage People.
m. Add all the desired members that you wish to grant access to ConveyIQ.
n. Click Save.
At this point, all should be configured and the following is expected to work: All the people added to the ConveyIQ Group should be imported as users to the ConveyIQ application and able to sign in. In Okta, the same users should be able to see the “ConveyIQ by Entelo” application under ‘My Apps’ and use it for SSO. The next steps are to assign permissions to the imported users in the ConveyIQ application.