Single sign-on with Okta via SAML
Configuring Okta
As an administrator log into Okta and click on the Admin button to the top right of the screen. From here click on "Developer Console > Classic UI" found at the top left of the screen.
Note that you will need to complete the below steps twice, once for desktop and once for mobile. Where the mobile configuration differs, it will be noted.
Configuration steps
-
Add a new application — Add a new application by clicking the Add Applications link which is located under Shortcuts to the right-hand side of the screen. Click the Create New App button and complete the details as seen below.
-
Name your application — Enter a name for your new App (e.g., Crowdicity) and upload an image if required.
You should name your mobile app something distinct, such as "Crowdicity Mobile".
-
Configuration — Complete the fields as per the screenshot below, you will need to click the Show Advanced Settings link to display all the fields. The values for the Single Sign On URL and Audience Restriction are based on your community URL. See Differences for mobile configuration, below, to find these values for mobile configuration.
Single Sign On URL:
https://[yourcommunity.crowdicity.com]/saml/module.php/saml/sp/saml2-acs.php/crowdsaml2Audience Restriction:
https://[yourcommunity.crowdicity.com]/saml/module.php/saml/sp/metadata.php/crowdsaml2"Response" should be set to "Unsigned".
- Assertions — Under the section titled Attribute Statements (Optional) you will need to configure the Okta claims. Crowdicity has required assertions that need to be set up as a minimum in order for the SAML configuration to operate correctly. The screenshot below with the highlighted fields is based on the Simple schema for user identities.
You are also able to pass additional assertions into dynamic groups as shown in this screenshot (e.g. department and city). Please refer to Dynamic groups for more information about dynamic groups.
-
Get metadata — Click the Next button at the bottom of the screen and complete the questions on the final page before clicking Finish. On the next page, click the Identity Provider metadata link to download an XML file, which you will be required to upload into the Medallia Ideas community (see below).
-
Assign users — The final step is to assign the users. Simply click on the Assignments tab and add the relevant people you wish to allow into the community.
Differences for mobile configuration
The URLs are different for mobile, and also different for users in different regions:
Single Sign On URLs for mobile
|
UK |
|
|
Australia |
|
|
Ireland |
|
|
US |
|
Audience Restriction for mobile
|
UK |
|
|
Australia |
|
|
Ireland |
|
|
US |
|
Configuring Crowdicity
Use the metadata from Okta, follow the steps below:
-
From the Medallia Ideas Admin menu, select Community Settings then Authentication. On this screen, you can select the authentication methods your community will use, and the order that they are presented in.
The Medallia Ideas account login method can't be removed, however, it does not have to be the primary login method for your community. If you want SAMLv2 to appear first, you can choose the order in which each login method appears by clicking Order and selecting.
-
Click Submit your metadata to pop up a new window, and then click Submit new metadata.
-
Paste your XML metadata into this box, and click submit. If the metadata is accepted, the screen will refresh and your endpoints will be listed, as in the example below.
Repeat this process to submit mobile metadata - you should use the same metadata you used for desktop.
-
Click Enable for the SAMLv2 option, and then click Save at the bottom of the page.
Once this has been done, the Medallia Ideas login screen will present Organisation login as an option for users on the login page:
Using this option will redirect users to your login screen and return them to Medallia Ideas upon a successful login.
