SSO (Single Sign-On) and Okta

SSO : SINGLE SIGN-ON

Single Sign-On (SSO) allows a user to connect once and be able to reuse these same identifiers to connect to several services.
Best known example: Facebook. I have a Facebook account with username + password. I can reuse them to connect to other sites. So I don't have to memorize multiple passwords, just one is enough.

SSO : STEEPLE / OKTA

NOTE : Okta does not allow provisioning to be set up if SSO is not configured. Neither Okta's nor Steeple's configuration allows this.


Here is a step-by-step guide to setting up SSO between Steeple and Okta. The applications must "chat", so you must configure both Steeple and Okta.

In Okta

First of all, the Okta directory must have a “Steeple” application (or another name). They therefore configure the directory as follows:


Applications > Applications > Create App Integration

Click on "Create App Integration" to create the application.

okta creation app
Choose sign on method : SAML 2.0


After validation, name your application:

okta new_app

Click on “Next”. You will be redirected to a SAML 2.0 configuration interface.

 

In Steeple

However, before that, you must provide yourself with the necessary URLs; you will find them in Steeple:



Administration > Integrations > Install


SSO settings on Steeple:

The name of the SSO login button can be set. If no name is given, “Login via SSO” is displayed by default.

Reserved domains:

It is possible to reserve domain names on Steeple in order to detect it/them on the login page and display the correct login button.
Example: it is possible to connect in SSO at Steeple with GSuite. Steeple has reserved the domain steeple.fr and, therefore, when an address @steeple.fr is entered in the e-mail field of the login form, the button "Connect with GSuite"appears automatically instead of the "Password" field.

Then click on Take the next step.

___________________________________________________________________________________

The rest of the configuration is made up of several "round trips" between the interfaces of Steeple and Okta:

Go to "Metadata" in Steeple. These are links provided by Steeple to enter Okta.

okta  steeple url


In Okta

You have to copy-paste these links and enter them in the associated fields in Okta.


saml conf 2



You also need to change the fieldName ID format » and choose «EmailAddress in the drop-down list:

Then move on to “mapping” (screenshot below). Be sure to respect the fields present on the screenshot and the naming.

okta mapping



The screenshot below describes the last stepfor mother/daughter or granddaughter communities:

okta groups


Okta will ask for feedback (probably for internal statistics); choose “I'm a software vendor. I'd like to integrate my app with Okta” and click on “Finish”.

okta feedbacks

You must now enter the Okta metadata present in a link, in the YELLOW “SAML 2.0” insert.To get the link, go to the "Sign on" tab in the application and click on “copy” for the "Metadata URL"

okta metadata

In Steeple

Paste the metadata URL in the corresponding field in STeepl and clic "Import matadata"



Mandatory configuration if there are mother/daughter or granddaughter communities:

You must associate the Okta groups corresponding to your child communities in the Steeple interface:

okta  steeple conf-1


For Okta, just enter the name of the group by replacing spaces with underscores ( _ ).
This step is essential for the proper functioning of SSO with Steeple.


The SSO configuration is now complete. Now we need Save configuration.


Additional questions

What happens if I log in in SSO while I previously logged in in the classic way?

My email address is the same as my Okta account I log in with:
Nothing is happening. My authentication mode changes, but my account is not modified, I can continue to use Steeple as I did before.

My email address at Steeple is different from that of my Okta account with which I want to connect in SSO:
This will create another account for me. You must therefore change your email address in order to benefit from this type of authentication.