What does the Okta integration do?
Okta is the foundation for secure connections between people and technology. Okta’s IT products uniquely use identity information to grant people access to applications on any device at any time, while still enforcing strong security protections. Okta’s Platform securely connects companies to their customers and partners. Today, thousands of organizations trust Okta to help them fulfill their missions as quickly as possible.
Okta supports the following enterprise identity management features for Litmos as an Okta Cloud Connect Technology Partner:
-
Application visibility
-
Application Auto-launch
-
Browser Plugin to Auto-submit credentials
-
Virtual Private Network imposition
-
Secure Web-Authentication (SWA)
-
SAML 2.0
-
Sign On Policies
-
Provisioning Features
-
Profile Attributes & Mappings
-
Groups and Push Groups
-
Access Logs
Litmos offers SAML integration with Single Sign On using Okta as an IdP (Identity Provider). This integration will allow users of Okta to login directly to their Litmos learning accounts and automatically provision new users in the system. Using active directory integration through Okta this will streamline the efforts needed to administer users in Litmos. The steps outlined below will allow for this integration.
Supported Features for the Integration
The Okta/Litmos SAML integration currently supports the following features:
-
IdP-initiated SSO
-
Just In Time (JIT) Provisioning
Add Litmos to Okta
Before your organization can begin using Litmos with Okta, an Okta Administrator will need to add the Litmos app to the Okta account. An Okta Administrator can perform this by navigating to the “Applications” tab, clicking on the “Add Application” button and then choosing to “add” the Litmos app to Okta:
Configure General Settings in Okta
Once Litmos has been added, the next step for the Okta Administrator will be to configure the “General Settings” for the Litmos app. This includes creating an application label, confirming the Litmos login URL, configuring the application’s visibility and determining the use of the browser plugin:
The application label is what displays to end-users when viewing the app in Okta. The login URL is the destination for the user login, which can be a “.Litmos.com” domain or a custom domain. Check your Litmos account to verify the login URL.
The application visibility is what determines if end-users in Okta will be able to view the Litmos app on the Okta content tab, or add the app to their content tab.
SAML SSO Configuration
-
Sign into your Litmos account.
-
Click on the Account settings icon on the left side menu (or from the profile dropdown in horizontal theme), then select Integrations:
-
Select SAML 2.0 (Single Sign On):
-
Copy and paste the metadata file in the SAML Metadata field. This can be found in Okta under Sign On > View Setup Instructions
Important! Exclude the following first line of the metadata as Litmos gives an error if it is included in the metadata: <?xml version=”1.0″ encoding=”UTF-8″?>.
-
Click Save changes:
Important Note: If your IDP doesn’t support encrypted assertions, make sure “Verify assertion signatures and encryption” is unchecked or you will encounter an error.
Okta User Provisioning Configuration
-
Check the Enable API Integration box.
-
Enter your Litmos API Credentials:
-
Base API URL: Automatically added.
-
If you are on the AU or EU database, the API URL will need to be changed slightly. (AU: https://api.litmos.com.au or EU: https://api.litmoseu.com )
-
-
In the field titled ‘Base API URL’, populate: https://api.litmos.com
-
Company: Enter your company name. This is used to identify you in Litmos. You can enter any value that identifies your organization in Litmos.
-
API Key: Enter the API key you copied from Litmos (see Requirements above). Also, make sure that your AccessLevel is Administrator or Account Owner.
-
-
Click Test API Credentials. If your API credentials are valid, you will see a success message, as shown here:
-
Select To App in the left panel, then select the Provisioning Features you want to enable:
-
Click Save.
-
You can now assign people to the app, if needed (see User Provisioning).
User Provisioning
-
To assign users to the Litmos app, open the app, select the People tab and then click the Assign to People button:
-
In the Assign Litmos to People dialog, select a user, then click the Assign button:
-
You can select which access level grant to each user by selecting the corresponding value from the AccessLevel dropdown menu:
-
Click the Save and Go Back button.
Deep Linking into a Course or Learning Path from Okta and OneLogin
The user must be assigned directly or have the course or learning path added to the Course library to have access to it. If they do not have access to it, they will receive an “Invalid Access” error message.
Once we have the single sign-on setup, we can use the RelayState query parameter to redirect the users to a specific Course directly upon login instead of the dashboard. This would be useful if the users are using the Course assigned email.
OKTA
For Okta, the URL for deeplinking to a course should follow the format seen below:
https://Domain.okta.com/app/litmos/exkfxcjddb23t0uKk0h7/sso/saml?RelayState=https://domain.litmos.com/course/12345
Note: exkfxcjddb23t0uKk0h7 is an example Litmos App ID, you will use your own unique App ID generated by Okta for the Litmos App to use in the deeplink. This is found in the Metadata.
This is basically the HTTP-POST Link followed by the RelayState query parameter. We can find the link in the metadata provided by Okta:
We can use the above in the Course assigned email as a Course link. Below is what we can use in the course assigned email for the deep link to work.
https://Domain.okta.com/app/litmos/exkfxcjddb23t0uKk0h7/sso/saml?RelayState=https://domain.litmos.com/course/[COURSE_ID]
Note: Okta has released a new Litmos app for our SHA-256 endpoint, domain.litmos.com/integration/splogin and is Live.
OneLogin
For OneLogin, it’s the same as above but the url would be SAML 2.0 Endpoint which we’ll find in the SSO tab in litmos app settings in OneLogin.
Something like this:
https://domain.onelogin.com/trust/saml2/http-post/sso/742576?RelayState=https://domain.litmos.com/course/12345
We can follow the same process as of Okta’s by using link in the Course assigned email.
https://domain.onelogin.com/trust/saml2/http-post/sso/742576?RelayState=https://domain.litmos.com/course/[COURSE_ID]
[Course_ID] is the placeholder which will dynamically fetch the course id.