This guide provides the steps required to configure SCIM 2.0 based user provisioning and OpenID Connect based single sign on via Okta.
- Configuration Steps
- Troubleshooting Tips
Okta is able to perform the following actions automatically against our platform:
- Add new users
- Update selected details on users
- Deactivate users
- Authenticate users when they log in via our web portal or apps.
The following provisioning features are supported:
- Users created through OKTA will also be created in our platform.
- Updates made to the user's profile through OKTA will be pushed to us.
- Deactivating the user or disabling the user's access to the application through OKTA will deactivate the user on our platform.
- Users can be imported from our platform into Okta
Before you configure provisioning, check the following in your platform account:
- Ensure you have added our Enterprise Toolkit option to your account, since this unlocks our Okta integration options.
Enterprise Toolkit can be enabled via your Billing page in the platform.
- Go to the Menu -> Organization Setup page and find the section titled "External User Authentication & Provisioning".
Click the Add Connector link and select the "Okta" option from the list of available connectors - this will save the Organization Setup page and reload it.
- Make note of the SCIM Url, User Name, Password and OpenID Connect Login Redirect URI values that display on the Okta connector details.
You will need these for the Okta configuration steps below.
Single Sign On (via OpenID Connect) Configuration Steps
Currently Okta does not support having OIDC and SCIM on the same application as found in the Okta Application Network (OAN).
Hopefully Okta will allow the combination of OIDC and SCIM on a single OAN application in the future.
Until then, you will need to use the Okta App wizard to create a separate OIDC app.
Create an OpenID Connect application
- Go to the Admin -> Applications area of your Okta account, then click "Add Application".
- Click the "Create New App" button, then select "Native" from the list of Platform options.
- Ensure OpenID Connect is the selected Sign on Method, then click "Create"
- Enter an Application Name - preferably use our platform name, Forms on Fire
- Upload an option Application Logo - you can get ours by right-clicking on our login page logo and using "Save Image As".
- Enter all Login Redirect URIs as noted from your Organization Setup page
- Leave Logout Redirect URIs blank
- Click the "Save" button to create your OIDC application. This will take you to more detailed configuration options.
- Application Name - preferably use Forms on Fire
- Application Type - must be "Native"
- Allowed Grant Types - only "Authorization Code" should be selected
- Login Redirect URIs - enter all Login Redirect URIs as noted from your Organization Setup page
- Logout Redirect URIS - leave blank
- Make note of the Client ID value as seen under the Client Credentials section. You will need to input this into the given field on our platform to enable Single Sign On later.
- Client Authentication - ensure PKCE is selected
- Sign On Methods - OpenID Connect should be the only option selected
- Signing Credential Rotation - should be left as "Automatic"
- Make note of the Issuer url seen under the OpenID Connect ID Token section. You will need to input this into the given field on our platform to enable Single Sign On later.
- Claims - should be "Claims for this token include all user attributes on the app profile."
- Group Claim options should be left as default
- Assign users as desired - any user that requires login access on our platform or apps must be assigned to your OIDC app in Okta.
After creating and configuring your OIDC app in Okta, you must update the Okta connector configuration in our platform:
- Go to the Organization Setup page in our platform
- Under the Manage Users with Okta option, input the Issuer URL and Client ID as noted during your Okta application setup process above.
- Save your changes.
At this point, all users registered on our platform will now be required to sign on via Okta.
User Provisioning (via SCIM 2.0) Configuration Steps
Add the Forms on Fire App Integration
- In your Okta account, go to Admin -> Applications -> Add App -> Search for “Forms on Fire”.
Configure General Settings:
- Specify a description Application Label, then hit Next
Configure Sign-On Options
- Okta does not currently support OpenID Connect as part of standard app integrations, so simply configure this section as seen in the screenshot below, then click Next. You can set up sign-on via OpenID Connect as a separate integration - see the Single Sign-On section above.
Configure Provisioning Settings
- Check the Enable provisioning features box.
- Enter SCIM Url, Company ID and Integration Passkey values that you noted from our platform into the relevant fields.
- Click the Test API Credentials button and check that your credentials were verified successfully.
- Under User Import, ensure that the following are set:
- Schedule Import: never
- Okta username format: Email Address
- Ensure that Profile Master is NOT enabled.
- Ensure Create Users is enabled.
- Ensure Update User Attributes is enabled.
- Ensure Deactivate Users is enabled.
- Ensure that Sync Passwords is NOT enabled.
Configure People Assignment
- Lastly, choose which people should be assigned to have access to Forms on Fire, then click Next to complete the configuration
You can now assign people to the app (if needed) and finish the application setup.
Troubleshooting and Tips
Required Values for Provisioning
The following values must be specified on Okta users in order for them to successfully provision on our platform:
- First Name
- Last / Family Name
- Email (this must be unique per user, since it is used as our username)
Assigning Website Access to Okta Users
By default, users that are provisioned via Okta will only be granted app login access.
If you wish to assign web portal access, then you must specify one of the following Role values on the Okta user's application profile:
The capabilities of the above roles can be seen on the hints for Access Roles as found on the Edit User page of our platform.