Okta Integration

Integrate single sign-on to Sqreen with Okta


Set Up

From Okta Admin Dashboard, create a new application using the Create New App button in the application list.

From the popup window, set Platform to "Web", and Sign on method to "SAML 2.0".

Create App

On the following Create SAML Integration screen, give the application a name, and add an image (you can find a suitable logo under the "Okta" section of https://my.sqreen.com/profile/organization/integrations).

Application details

On the second Configure SAML panel enter the values for Single sign on URL and Audience URI (SP Entity ID) that you can find under the "Okta" section of https://my.sqreen.com/profile/organization/integrations.

In the ATTRIBUTE STATEMENTS (OPTIONAL) section, add the following attribute:

  • Name: email
  • Format: Unspecified
  • Value: ${user.email}

Configure SAML

The value for Name must be lowercase.

Click Next, and on the final screen, select the "I'm an Okta customer adding an internal app" radio button, ignore the optional questions, and click Finish.

After creating the application you will see a "SAML 2.0 is not configured until you complete the setup instructions." warning, click the View Setup Instructions button.

Warning

The following screen gives you a value that you need to copy and paste into the "Identity Provider Single Sign-On URL" field and a certificate to upload to the "Certificate" field on the https://my.sqreen.com/profile/organization/integrations page. You don't need the other values for the integration. Then click Enable Okta to finish.

User Login

Now when a user clicks the "Sqreen" application on the Okta dashboard they are logged in to Sqreen. When logging in for the first time, a new user account is created and automatically linked with your Sqreen organization.

Notes

If a Sqreen user with a given e-mail already exists, and is assigned to a different organization, SSO login for a user with the same e-mail will not succeed.

If an SSO user has the same e-mail as a Sqreen user in the same organization, then these users will be linked together, and able to log in either via SSO or their password.

When your Sqreen plan provides access to Role-based access control (RBAC), the new user has the "team member" role. Otherwise, they have access to all features like any team member.

Notes

Users provisioned via SSO will not be able to enable password-based login.

However, users that existed before logging in via SSO (in the same team), will retain their ability to log in with passwords, as well as reset their passwords.

Further Information

Missing Okta Integration Settings

If you do not see an "Okta" section at https://my.sqreen.com/profile/organization/integrations, then this feature has not been enabled for your plan.

What Happens to Deactivated Users

It is currently not possible to automatically delete Sqreen team members when their corresponding users are deactivated in Okta.

If you remove users from Okta, you will need to manually delete them from your Sqreen organization's team page.

However, these users will not be able to log in anymore, unless they were in the team before the start of SSO use in your organization.