Configuring Single Sign On (SSO) with Okta for iPaaS + Conversational AI

The examples below were provided to TeamDynamix by clients who were able to successfully configure Single Sign On using Okta. Please note that TeamDynamix does not have expertise in IdP configurations for Okta. It is best for you to speak with your internal technical team or an Okta professional for any issues or questions related to configuring Single Sign On in Okta.

Overview

This article covers how other TeamDynamix clients have configured Okta to allow Single Sign On authentication with iPaaS and Conversational AI.

Step 1: Gather Assertion Consumer Service URL from iPaaS + Converational AI Metadata

Before configuring SSO in Okta, you will need the AssertionConsumerService URL from iPaaS + Conversational AI.

  1. Log in to iPaaS + Conversational AI
  2. On the top navigation bar, go to Administration > Organization Settings
  3. Click on the Settings tab
  4. Set the User Authentication Requirements dropdown to SAML
  5. In the top right corner, click the Service Provider Metadata link
    1. The metadata will open in a new tab
  6. Find the link that starts with "<md:AssertionConsumerService Binding", and copy what's in the "Location=" section
    1. US example: https://us1.teamdynamix.com/tdapp/SAML/SingleLogoutService?__cust=CUSTOMERNAME
    2. CA example: https://ca1.teamdynamix.com/tdapp/SAML/SingleLogoutService?__cust=CUSTOMERNAME
  7. Copy this value. You will need it when configuring Okta
  8. Click Cancel to cancel out of the SAML configuration for now

Step 2: Create SAML Application in Okta

  1. Login to your Okta Admin Apps portal: https://yourcompanydomain-admin.okta.com/admin/apps/active
  2. Click Add Application.
  3. Click Create New App.
  4. Click SAML 2.0 and click Create.
  5. Give the app an appropriate Name and tick both boxes to not display the app icon to users. This will confuse the users.
  6. Click Next.
  7. For Single-sign on URL, copy and paste the Consumer Assertion URL you copied from iPaaS in the "Step 1" section above
  8. Check the box to Use this for Recipient URL and Destination URL
  9. For Audience Restriction, copy and paste the appropriate value for your region and environment:
    1. For United States Customers: https://us1.teamdynamix.com
    2. For Canadian Customers: https://ca1.teamdynamix.com
  10. Change the Name ID Format to Email Address
  11. Change the Application Username to Okta Username
  12. Your Okta SAML application should now look something like the following image (shown for a US customer):Uploaded Image (Thumbnail)
  13. Scroll down and click Next.
  14. Click I’m an Okta customer adding an internal app and click Finish.

Step 3: Store Okta Metadata URL in iPaaS + Conversational AI

The last step before you can enable and test Okta authentication into iPaaS + Conversational AI is a metadata exchange.

First, get the identity provider metadata URL in Okta:

  1. In Okta, navigate to the application you created.
  2. Navigate to Settings > SAML 2.0
  3. Find the metadata URL, which should look like this: https://yourOktaDomainHere/app/yourOktaAppIDHere/sso/saml/metadata

Next, input it into iPaaS + Conversational AI:

  1. Log in to iPaaS + Conversational AI
  2. On the top navigation bar, go to Administration > Organization Settings
  3. Click on the Security tab
  4. Set the User Authentication Requirements dropdown to SAML
  5. In the SAML Definition URL box, paste the metadata URL you copied from Okta, then click the refresh icon
  6. At the bottom of the window, click Save Changes

Testing SSO Authentication

To test SSO authentication, use your organization-specific login URL to log in to iPaaS + Conversational AI.

Organization-Specific Sign-In Links

If you are logged in to SSO and access the generic iPaaS + Conversational AI URL for your region (e.g., https://ca1.teamdynamix.com), you will be automatically redirected to SSO and signed in to the environment. If you are not signed in to SSO, you will need to use your organization-specific SSO login link.
To access your organization-specific SSO URL:

  1. Log in to iPaaS + Conversational AI
  2. On the top navigation bar, go to Administration > Organization Settings
  3. Click on the Security tab
  4. Scroll to the bottom of the page
    1. The SSO Login URL is your organization-specific SSO URL

Best Practices for Testing SSO

When testing, a recommended approach is to use one browser (for instance Google Chrome) to have the iPaaS + Conversational AI SAML Settings page open in. Use a second browser (such as Firefox) in in-cognito or private browsing mode to actually test that SSO authentication is in fact working.

With this approach, if SSO authentication is not working or is in some way broken, you may quickly toggle SSO off back in the first browser. You can then safely troubleshoot the issues found and not be locked out of the system until you are ready to test again.

SSO Bypass URLs

If you misconfigured your SSO setup and you need to log back into iPaaS and Conversational AI to correct it, use the appropriate SSO bypass URL:

This URL will send you to the iPaaS and Conversational AI login screen where you can use your local iPaaS and Conversational AI account to log in.

Print Article