This article is for technical system administrators who can access your organisation's identity management system
This article explains how to set up and configure single sign-on between Checkbox and your Okta instance
Create an App Integration on Okta
- Go to your Okta Admin console
- Click Applications in the side bar
- Click Create App Integration
- Select the SAML2.0 Option
- Click Next to proceed
Configure your Application with Checkbox SAML Details
- Give your Application a name and click 'Next'.
- On Checkbox, go into Account Settings > SSO Configuration and copy the details from 'Step 1: Copy Checkbox SAML Settings' of the self-serve guide over into the corresponding fields in your Azure Application's Basic SAML Configuration settings.
- On Okta, fill in your SAML Settings section with the following values:
- Single sign on URL: Insert the Assertion Consumer Service URL value from Checkbox here
- Audience URI (SP Entity ID): Insert the Entity ID value from Checkbox here
- NameID Format: EmailAddress
- Application username: Email
- On Okta, in the Attribute Statements (optional) section, configure the additional claims specified in section 2 of the SSO Configuration page in Checkbox. Your settings should look like the following screenshot.
- Click Next to proceed
Configure your Okta App SAML settings on Checkbox
- On Okta, navigate to the Sign on tab of your newly created Application
- Scroll down until you see the SAML Setup section on the right hand side of the screen and click the View SAML setup instructions button.
- On the new page, copy the Identity Provider Single Sign-on URL and paste it into the Sign on endpoint field in Section 3 of the Checkbox SSO Configuration page.
- Go back to the previous page on Okta, scroll down to the SAML Signing Certificates section, click on the Actions dropdown for the SHA-2 row (the second row in the table), right click the View Idp metadata item, and copy the link address. Refer to the screenshot below for reference.
- Copy this value into the Provide federation metadata details field as a Metadata URL on the Checkbox SSO Configuration page, as shown.
Test your SSO Connection
Once you have configured the above, you are nearly ready to test your SSO connection. Before you do, remember to assign yourself or another test user to the created Application to make sure you have access.
Once you configured your SAML Application settings and assigned users or groups to Checkbox, you can now test your SSO connection. On Checkbox, go to step 4. Test Connection of the SSO configuration menu and click Test SSO Connection.
If everything has been configured correctly, you should be presented with a success message. If you had an error, please double-check your settings above, or contact our support team.
Once you have successfully configured and tested your SSO connection, you can enforce SSO for all users or just those users that match the registered domains.