What does the Okta integration do?
Okta is the foundation for secure connections between people and technology. Okta's IT products uniquely use identity information to grant people access to applications on any device at any time, while still enforcing strong security protections. Okta's Platform securely connects companies to their customers and partners. Today, thousands of organizations trust Okta to help them fulfill their missions as quickly as possible.
Okta supports the following enterprise identity management features for Litmos as an Okta Cloud Connect Technology Partner:
- Application visibility
- Application Auto-launch
- Browser Plugin to Auto-submit credentials
- Virtual Private Network imposition
- Secure Web-Authentication (SWA)
- SAML 2.0
- Sign On Policies
- Provisioning Features
- Profile Attributes & Mappings
- Groups and Push Groups
- Access Logs
Litmos offers SAML integration with Single Sign On using Okta as an IdP (Identity Provider). This integration will allow users of Okta to login directly to their Litmos learning accounts and automatically provision new users in the system. Through the use of active directory integration through Okta this will streamline the efforts needed to administer users in Litmos. The steps outlined below will allow for this integration.
Supported Features for the Integraton
The Okta/Litmos SAML integration currently supports the following features:
- IdP-initiated SSO
- Just In Time (JIT) Provisioning
Add Litmos to Okta
Before your organization can begin using Litmos with Okta, an Okta Administrator will need to add the Litmos app to the Okta account. An Okta Administrator can perform this by navigating to the "Applications" tab, clicking on the "Add Application" button and then choosing to "add" the Litmos app to Okta:
Configure General Settings in Okta
Once Litmos has been added, the next step for the Okta Administrator will be to configure the "General Settings" for the Litmos app. This includes creating an application label, confirming the Litmos login URL, configuring the application's visibility and determining the use of the browser plugin:
The application label is what displays to end-users when viewing the app in Okta. The login URL is the destination for the user login, which can be a ".Litmos.com" domain or a custom domain. Check your Litmos account to verify the login URL.
The application visibility is what determines if end-users in Okta will be able to view the Litmos app on the Okta content tab, or add the app to their content tab.
SAML SSO Configuration Okta
Litmos App using SHA256 (updated SAML settings)
-
In Okta, ensure you are on the version of the integration which utilizes SHA256 digest and signature algorithm. To check this:
-
Navigate to the Litmos integration in your Okta admin console, then select the Single Sign-on tab.
-
Scroll down the the ADVANCED SIGN-ON SETTINGS section and check the Use SHA256 Signature Algorithm for SAML checkbox.
-
-
Sign into your Litmos account.
-
Click on the settings icon on the left side menu, then select Integrations:
-
Select SAML 2.0 (Single Sign On):
-
In the window that opens, DO NOT click on the Okta and OneLogin users click here link as this will take you to a set-up screen that uses the old Litmos SAML endpoint and SHA1 algorithm.
Instead, copy and paste the following metadata file in the SAML Metadata field
Important! Exclude the following first line of the metadata as Litmos gives an error if it is included in the metadata: <?xml version="1.0" encoding="UTF-8"?>.
SAML Metadata:
Sign in to Okta Admin app to have this variable generated for you.
-
Click Save changes:
Migration guide for existing customers (Upgrade to SHA-2)
Before you migrate:
-
Okta recommends that you budget 1-2 days for the migration project, including planning, testing, and rollout.
-
Decide on a time you will be performing the migration, and inform end users in advance about the downtime. Litmos does not support multiple IdP, so once you switch to SHA2 in Okta, the end users will be unable to log in until you've completed all steps in Litmos as outlined in the migration section below.
-
Find the updated Litmos integration with a self-serviceable option to switch between the two cryptographic hash algorithms.
Migration Steps:
-
In Okta, ensure you are on the version of the integration which utilizes SHA256 digest and signature algorithm. To check this:
-
Navigate to the Litmos integration in your Okta admin console, then select the Single Sign-on tab.
-
Scroll down the the ADVANCED SIGN-ON SETTINGS section and check the Use SHA256 Signature Algorithm for SAML checkbox.
-
-
Sign into your Litmos account.
-
Click on the settings icon on the left side menu, then select Integrations:
-
Select SAML 2.0 (Single Sign On):
-
Uncheck the Enable SAML checkbox, then click Save changes:
-
Again, select SAML 2.0 (Single Sign On):
-
In the window that opens, DO NOT click on the Okta and OneLogin users click here link as this will take you to a set-up screen that uses the old Litmos SAML endpoint and SHA1 algorithm.
Instead, copy and paste the above generated metadata file into the SAML metadata field.
Important! Exclude the following first line of the metadata as Litmos gives an error if it is included in the metadata: <?xml version="1.0" encoding="UTF-8"?>.
Okta User Provisioning Configuration
-
Check the Enable API Integration box.
-
Enter your Litmos API Credentials:
- Base API URL: Automatically added.
If you are on the AU or EU database, the API URL will need to be changed slightly. (AU: https://api.litmos.com.au or EU: https://api.litmoseu.com )
- Company: Enter your company name. This is used to identify you in Litmos. You can enter any value that identifies your organization in Litmos.
- API Key: Enter the API key you copied from Litmos (see Requirements above). Also, make sure that your AccessLevel is Administrator or Account Owner.
3. Click Test API Credentials. If your API credentials are valid, you will see a success message, as shown here:
Following our November 15th API key change, if you get a Verification failed: Error authenticating message, please reach out to Okta Support. A feature to pass the API key via the header will need to be enabled.
4. Select To App in the left panel, then select the Provisioning Features you want to enable:
-
Click Save.
-
You can now assign people to the app, if needed (see below).
User Provisioning
-
To assign users to the Litmos app, open the app, select the People tab and then click the Assign to People button:
-
In the Assign Litmos to People dialog, select a user, then click the Assign button:
-
You can select which access level grant to each user by selecting the corresponding value from the AccessLevel dropdown menu:
-
Click the Save and Go Back button.
Deep Linking into a Course or Learning Path from Okta
Here is the link for an article which will give you an overview of how you can use deeplinks for Okta integration:
Note: The user must be assigned directly or have the course or learning path added to the Course library to have access to it. If they do not have access to it, they will receive a "Invalid Access" error message.
Comments
0 comments
Article is closed for comments.