SSO : SINGLE SIGN-ON
Single Sign-On (SSO) allows a user to connect once and be able to reuse these same identifiers to connect to several services.
Best known example: Facebook. I have a Facebook account with username + password. I can reuse them to connect to other sites. So I don't have to memorize multiple passwords, just one is enough.
SSO : STEEPLE / OKTA
NOTE : Okta does not allow provisioning to be set up if SSO is not configured. Neither Okta's nor Steeple's configuration allows this.
Here is a step-by-step guide to setting up SSO between Steeple and Okta. The applications must "chat", so you must configure both Steeple and Okta.
First of all, the Okta directory must have a “Steeple” application (or another name). They therefore configure the directory as follows:
Applications > Applications > Create App Integration
Click on "Create App Integration" to create the application.
Sign on method : SAML 2.0
After validation, you must directly configure SAML 2.0:
Click on “Next”. You will be redirected to a SAML 2.0 configuration interface.
However, before that, you must provide yourself with the necessary URLs; you will find them in Steeple:
Administration > Integrations > Install
SSO settings on Steeple:
The name of the SSO login button can be set. If no name is given, “Login via SSO” is displayed by default.
Reserved areas:
It is possible to reserve domain names on Steeple in order to detect it/them on the login page and display the correct login button.
Example: it is possible to connect in SSO at Steeple with GSuite. Steeple has reserved the domain steeple.fr and, therefore, when an address @steeple.fr is entered in the e-mail field of the login form, the button "Connect with GSuite"appears automatically instead of the "Password" field.
Then click onTake the next step.
___________________________________________________________________________________
The rest of the configuration is made up of several "round trips" between the interfaces of Steeple and Okta:
Go to "Metadata" in Steeple. These are links provided by Steeple to enter Okta.
The fields are well defined in Steeple and in Okta.You have to copy-paste these links and enter them in the associated fields in Okta.
You also need to change the fieldName ID format » and choose «EmailAddress in the drop-down list:
Then move on to “mapping” (screenshot below). Be sure to respect the fields present on the screenshot and the naming.
The screenshot below describes the last stepfor mother/daughter or granddaughter communities:
Okta will ask for feedback (probably for internal statistics); choose “I'm a software vendor. I'd like to integrate my app with Okta” and click on “Finish”.
You must now enter the Okta metadata present in a link, in the YELLOW “SAML 2.0” insert.Tips for getting this link:
1) Right click on the link “Identity Provider metadata” and click on “copy link address” and copy the address in the appropriate field in Steeple then click on “Import metadata”;
2) Click on the “Identity Provider metadata” link. A new tab opens with file content in XML.Copy the address present in the Google search bar. Paste this address in the appropriate field in Steeple. Then click “Import metadata”.
Your Directory Metadata (Identity Provider) > Identity Provider
Mandatory configuration if there are mother/daughter or granddaughter communities:
You must associate the Okta groups corresponding to your child communities in the Steeple interface:
For Okta, just enter the name of the groupby replacing spaces with underscores ( _ ).
This step is essential for the proper functioning of SSO with Steeple.
The SSO configuration is now complete. Now we needSave configuration.
What happens if I log in in SSO while I previously logged in in the classic way?
My email address is the same as my Okta account I log in with:
Nothing is happening. My authentication mode changes, but my account is not modified, I can continue to use Steeple as I did before.
My email address at Steeple is different from that of my Okta account with which I want to connect in SSO:
This will create another account for me. You must therefore change your email address in order to benefit from this type of authentication.