Okta SAML SSO Configuration

Sharesecret supports SAML-based single sign-on with Okta for organizations on a Pro level subscription.

Okta SAML SSO Setup

Adding the Sharesecret app to your Okta account

Sign in to your organization's Okta account as an administrator.

1. After logging in, click Admin in the top right, then go to the Applications page.
2. Click Add Application.
3. Search for Sharesecret in the search box and click the Add button.
   
4. In Sharesecret, click Org Settings. Under SAML SSO Settings, copy your SAML Tenant ID.
   

5. In Okta, paste the SAML Tenant ID into the Default Relay State field. Set the Application Username format field to Email. Click Save.
   

6. Copy the Identity Provider metadata URL. Right click on Identity Provider metadata below the View Setup Instructions button and click Copy Link Address.
   

7. In Sharesecret, go to Org Settings, paste the Identity Provider Metadata URL into the IDP Metadata URL field, then click Save next to the field.

8. The Okta SAML SSO configuration is complete. Users who are assigned the Sharesecret application in Okta will be able to log in to Sharesecret through Okta.

Note: Users can also log in to Sharesecret through Okta by visiting https://www.sharesecret.com/users/[Tenant ID]/auth/saml. An administrator must provide users with the Tenant ID.

Provisioning

SAML JIT provisioning is supported by default: when a member of your Okta organization who has access to the Sharesecret Okta app attempts to authenticate via SAML, their Sharesecret account will be created the first time they attempt a login.

SCIM Provisioning (recommended)

The System for Cross-domain Identity Management (SCIM) is an open API standard that makes managing user identities and accounts across different services easier. In particular, SCIM makes it easier to manage user identities in a centralized Identity Provider (iDP) like Okta, and synchronize user accounts to downstream applications like Sharesecret. Of course, users don't have to create another set of user credentials for each app they use -- they simply authenticate via SAML through the IDP to get access to Sharesecret.

Features

The Sharesecret Okta SCIM integration supports the following SCIM features:

• Push new users
  • Creating an Okta user will automatically create a user account in Sharesecret.
• Push Profile Updates
  • When a user updates their Okta profile, the relevant attributes in Sharesecret will be updated as well.
• Push user deactivation
  • When a user is unassigned from the Sharesecret app in Okta, their Sharesecret account will be removed as well.
• Reactivate Users
  • Users can be reactivated after deactivation.

Requirements

You must be on a Sharesecret Pro plan to configure Okta SAML SSO and SCIM provisioning.

Step-by-Step Configuration Instructions

To configure SCIM provisioning in the Sharesecret Okta app, follow these steps:

1. In Sharesecret, click Org Settings in the top nav bar.
2. Under SAML SSO Settings, copy the iDP Api Token.
3. Find the Sharesecret app in Okta. Go to the Provisioning tab. Click on Integrations in the left panel. Paste in the iDP API Token and click Save.
4. Select To App in the left panel, then enable the following Provisioning Features: Create Users, Update User Attributes, and Deactivate Users. Click Save.
   
5. Scroll down to Sharesecret Attribute Mappings. The Sharesecret Okta app supports a "role" attribute that corresponds to a user's Sharesecret role. A user can have a role of admin, manager, user. If you don't define a mapping in Okta for the role attribute, new users will be automatically provisioned with the user role by default.
   
   Learn more about Sharesecret user roles.
6. Click Save.
7. You can now assign users to the Sharesecret app, and their accounts will be automatically provisioned in Sharesecret.

Troubleshooting

If you run into any issues, email suport@sharesecret.co.