Tutorial: Adding Okta Identity Provider
4 minutes to readThe following article will guide you on how to add an Okta identity provider. By doing that users in your organization will be able to access Caspio apps using credentials managed by Okta and sign out of both a Caspio directory and Okta with a single action.
Before you begin
Sign in to Okta with admin permissions and set up an Okta account.
STEPS IN CASPIO DIRECTORIES
- In Caspio directories, in the Identity providers tab, click Add identity provider.
Links from the 1. Service provider information section will be needed later to configure the external identity provider.
STEPS IN OKTA
- Sign in to Okta with admin account and select Applications > Applications.
- In Create a new app integration, select Create App Integration → SAML 2.0.
- In the General Settings tab, configure the general settings and select Next.
- In the Configure SAML tab, fill in Single sign on URL and Audience URL (SP Entity ID) with Caspio service provider information according to the following table:
Caspio→ Service provider information | Okta → Configure SAML |
---|---|
Copy the Service provider identifier (Entity ID) URL… | … and paste it into Audience URL (SP Entity ID) field. |
Copy the Reply URL (Assertion consumer service URL)… | … and paste it into the Single sign on URL field. |
Copy the Logout URL… | … select Allow application to initiate Single Logout and paste the link into the Single Logout URL field. |
Note: Setting the logout URL to enable single logout is optional but recommended because it increases application security.
- In the Feedback tab, select a relevant option. Click Finish.
- In Okta, open the SAML Signing Certificates section and select View SAML setup instructions. You will need it in step 8b.
STEPS IN CASPIO DIRECTORIES
- In Caspio, go to the identity provider you are adding.
- Enter the name and select a user identifier in 2. Identity provider information. We recommend using the default Email field.
- Provide the copied links from step 7 according to the following table:
Okta → View SAML setup instructions | Caspio → Identity provider information |
---|---|
Copy the Identity Provider Single Sign-On URL… | …and paste it into Single sign-on URL field in Caspio. |
Copy the Identity Provider Issuer… | …and paste it into the Identity provider identifier field in Caspio. |
Copy the Identity Provider Single Logout URL… | …and paste it into the Logout URL field in Caspio. This setting automatically signs users out of Okta when they sign out of Caspio. |
Note: Setting the logout URL to enable single logout is optional but recommended because it increases application security.
- In the SAML Signing Certificates section, download X.509 Certificate. You will need it in step 9.
- In the SAML signing certificate (x.509), upload a certificate from step 8c.
- Click Select and enable.
Setting Single Sign-out
You can configure single logout to sign out end users of both a Caspio directory and Okta with a single action. To do that, perform the following steps:
STEPS IN CASPIO DIRECTORIES
- Copy the Logout URL link from the 1. Service Provider Information section in Caspio.
STEPS IN OKTA
- Go to Okta and select Show advanced settings. Select Allow application to initiate Single Logout and update the Single Logout URL field with the link copied from Caspio.
- In the Sign On settings tab, click View SAML setup instructions. Copy the Identity Provider Single Logout URL.
STEPS IN CASPIO DIRECTORIES
- Paste the copied link from step 3 in Caspio > Identity provider information > Logout URL.
Testing
- Add a user to a group in Okta.
- From the left menu, select Directory > People, and then click Add person.
- Enter the first and last name of the user.
- Enter the same username as in the directory.
- In the Password field, select Set by admin and enter the password.
- Optional: Clear the User must change password on first login checkbox.
- Save the changes.
- From the left menu, click Applications and select the newly created app.
- Click the Assign button > Assign to people.
- Select the newly created user and click Assign.
- Add a user in Caspio directories.
- In the Users tab, create a user.
- Fill in an email address of the testing user from OKTA (step 1a of the testing procedure). User email in Okta and Caspio directory must match.
- Select sign-in method as per the identity provider name set up in step 4 above.
- Sign in to user portal with Okta.
- In Caspio directories, select User portal.
- In the User portal URLs, click the Settings URL.
- In the login page of a user portal, enter an email address of the newly created test user in Caspio directory.
- In Okta login page, log in with the Okta credentials.
- You should be redirected to the Settings page of the user portal where you can see the profile information of the logged in user, including the email address.