eRS supports single sign-on (SSO) logins through SAML 2.0. Okta is one of the widely used SAML 2.0 identity providers (IDP) which can be configured to provide authentication for eRS. Okta is an enterprise-grade, identity management service, built for the cloud, but compatible with many on-premises applications.
Requirements
To use Okta IDP to log in to your eRS instance, you need the following:
- An active Okta subscription.
- Administrator access to Okta instance.
- An eRS Cloud instance and you must have subscribed to the 'Authentication Plus' module from the billing section.
After you meet these basic requirements, follow the steps below to add a SAML app integration in your Okta account.
Step 1 - Create App Integration in Okta
- Login to your Okta admin console, by visiting https://yoursubdomain-admin.okta.com/
- On your Okta Admin panel, go to Applications > Applications > Create App Integration
- Select SAML 2.0 for Sign-in method and click Next
- Give the application a name (in this example eRS) and click Next
- In the SAML Settings section, fill in the following information:
Single sign on URL: https://app.eresourcescheduler.cloud/login/saml/123456. Replace 123456 with your eRS Account ID. If you don't know your eRS account ID, visit the Account Details page in eRS.
Audience URI (SP Entity ID): https://app.eresourcescheduler.cloud/Zit5huIxEPe9bfEk
Name ID format: Email Address - Under Attribute Statements, create the following attributes and click Next
- Select "I'm a software vendor. I'd like to integrate my app with Okta". Click Finish
-
After clicking Finish you'll be redirected to the Sign On tab. Click on View Setup Instructions.It will open it in a new tab on your browser.
Step 2 - Configure eRS
After creating app integration in Okta Admin Console, you need to configure your eRS account to authenticate using SAML. To enable Okta SSO login for eRS, log in to your eRS account (with Admin privileges) and move to Authentication Settings in the Administration section. Click on the pencil icon to edit SAML configuration, enable the SSO and fill in the information from the previous step.
Note: Do not copy commented lines from the Certificate i.e. "---Begin Certificate----" and "---End Certificate---"
Step 3 - Assign Users to eRS
So far you have configured Okta IDP and eRS for SAML authentication. Now you need to assign users to the eRS app integration in Okta admin console, to whom you want to give access to eRS.
- In the Okta Admin Console select Applications and select the eRS application that we created in the previous steps.
- From the navigation tabs, select Assignments.
- Click Assign button, and select Assign to People.
- From the Assignment window, select the people you want to give access and click Done.
To check if Okta SSO login is working as expected, visit the SAML Login Page and enter your eRS Account ID to continue. It should redirect you to the Okta Sign-In page. Sign in as one of the users who was assigned the application access in the previous step. After a successful login, you will be redirected back to the eRS.
Important: When a user authenticates using SAML/SSO and logs into eRS for the first time, an entry for the user is created (if not already exist) with the default permission set applied. If the default permission set has not been configured, users will not have access to any data until their access rights are configured. You can create and mark permission set as default here.
You can also use the URL https://app.eresourcescheduler.cloud/login/saml/123456, replacing 123456 with your eRS Account ID, to directly reach the Okta login page after a successful SAML configuration.