Configure SAML SSO for OKTA

 This article is for technical system administrators who can access your organisation's identity management system

This article explains how to set up and configure single sign-on between Checkbox and your Okta instance


Create an App Integration on Okta

  1. Go to your Okta Admin console
  2. Click Applications in the side bar
  3. Click Create App Integration
    mceclip0.png
  4. Select the SAML2.0 Option
    mceclip1.png
  5. Click Next to proceed

Configure your Application with Checkbox SAML Details

  1. Give your Application a name and click 'Next'.
  2. On Checkbox, go into Account Settings > SSO Configuration and copy the details from 'Step 1: Copy Checkbox SAML Settings' of the self-serve guide over into the corresponding fields in your Azure Application's Basic SAML Configuration settings.
    mceclip2.png
  3. On Okta, fill in your SAML Settings section with the following values:
    • Single sign on URL: Insert the Assertion Consumer Service URL value from Checkbox here
    • Audience URI (SP Entity ID): Insert the Entity ID value from Checkbox here
    • NameID Format: EmailAddress
    • Application username: Email
      mceclip2.png
  4. On Okta, in the Attribute Statements (optional) section, configure the additional claims specified in section 2 of the SSO Configuration page in Checkbox. Your settings should look like the following screenshot. 
    mceclip3.png
  5. Click Next to proceed

Configure your Okta App SAML settings on Checkbox

  1. On Okta, navigate to the Sign on tab of your newly created Application
    mceclip4.png
  2. Scroll down until you see the SAML Setup section on the right hand side of the screen and click the View SAML setup instructions button.
    mceclip7.png
  3. On the new page, copy the Identity Provider Single Sign-on URL and paste it into the Sign on endpoint field in Section 3 of the Checkbox SSO Configuration page.
    mceclip0.png
  4. Go back to the previous page on Okta, scroll down to the SAML Signing Certificates section, click on the Actions dropdown for the SHA-2 row (the second row in the table), right click the View Idp metadata item, and copy the link address. Refer to the screenshot below for reference.
    mceclip5.png
  5. Copy this value into the Provide federation metadata details field as a Metadata URL on the Checkbox SSO Configuration page, as shown.
    mceclip6.png

Test your SSO Connection

Once you have configured the above, you are nearly ready to test your SSO connection. Before you do, remember to assign yourself or another test user to the created Application to make sure you have access.

mceclip1.png

 

Once you configured your SAML Application settings and assigned users or groups to Checkbox, you can now test your SSO connection. On Checkbox, go to step 4. Test Connection of the SSO configuration menu and click Test SSO Connection.

If everything has been configured correctly, you should be presented with a success message. If you had an error, please double-check your settings above, or contact our support team.

Once you have successfully configured and tested your SSO connection, you can enforce SSO for all users or just those users that match the registered domains.