This article is for technical system administrators who can access your organisation's identity management system
This article explains how to set up and configure single sign-on between Checkbox and your Okta instance
Table of Contents
Configure SAML SSO for Azure Active Directory (AAD/ADFS)
Configure SAML SSO for OKTA
Create an App Integration on Okta
- Go to your Okta Admin console
- Click Applications in the side bar
- Click Create App Integration
- Select the SAML2.0 Option
- Click Next to proceed
Configure your Application with Checkbox SAML Details
- Give your Application a name and click 'Next'.
- On Checkbox, go into Account Settings > SSO Configuration and copy the details from 'Step 1: Copy Checkbox SAML Settings' of the self-serve guide over into the corresponding fields in your Azure Application's Basic SAML Configuration settings.
- On Okta, fill in your SAML Settings section with the following values:
Single sign on URL: Insert the Assertion Consumer Service URL value from Checkbox here
Audience URI (SP Entity ID): Insert the Entity ID value from Checkbox here
NameID Format: EmailAddress
Application username: Email - On Okta, in the Attribute Statements (optional) section, configure the additional claims specified in section 2 of the SSO Configuration page in Checkbox. Your settings should look like the following screenshot.
- Click Next to proceed
Configure your Okta App SAML settings on Checkbox
- On Okta, navigate to the Sign on tab of your newly created Application
- Scroll down until you see the SAML Setup section on the right hand side of the screen and click the View SAML setup instructions button.
- On the new page, copy the Identity Provider Single Sign-on URL and paste it into the Sign on endpoint field in Section 3 of the Checkbox SSO Configuration page.
- Go back to the previous page on Okta, scroll down to the SAML Signing Certificates section, click on the Actions dropdown for the SHA-2 row (the second row in the table), right click the View Idp metadata item, and copy the link address. Refer to the screenshot below for reference.
- Copy this value into the Provide federation metadata details field as a Metadata URL on the Checkbox SSO Configuration page, as shown.
Test your SSO Connection
Once you have configured the above, you are nearly ready to test your SSO connection. Before you do, remember to assign yourself or another test user to the created Application to make sure you have access.
Once you configured your SAML Application settings and assigned users or groups to Checkbox, you can now test your SSO connection. On Checkbox, go to step 4. Test Connection of the SSO configuration menu and click Test SSO Connection.
If everything has been configured correctly, you should be presented with a success message. If you had an error, please double-check your settings above, or contact our support team.
Once you have successfully configured and tested your SSO connection, you can enforce SSO for all users or just those users that match the registered domains.
Configure SAML SSO for Azure Active Directory (AAD/ADFS)
Create the SAML Enterprise Application
- Go to your Azure admin center - https://aad.portal.azure.com/
- Click on 'Enterprise applications'
- Click on 'New application'
- Click 'Create your own application'
- Give this Application a name and select the 'Integrate any other application you don't find in the gallery'
- Press 'Create'
Configure your Application with Checkbox SAML Details
- Once your Application has been created, click 'Set up single sign on' from your new Application's Dashboard and select 'SAML'.
- Click on 'Edit' for Basic SAML Configuration
- On Checkbox, go into Account Settings > SSO Configuration and copy the details from 'Step 1: Copy Checkbox SAML Settings' of the self-serve guide over into the corresponding fields in your Azure Application's Basic SAML Configuration settings.
- On Azure, continue on to configure the 'Attributes & Claims' section, and ensure your claims match the following.
- On Azure, find your App Federation Metadata URL, Login URL and Logout URL, and copy these details into the Metadata URL, Sign on Endpoint, and Sign off endpoint fields on Checkbox respectively.
Provision user access
On Azure, click on 'Users and Groups' and click Add user/group to provision access to Checkbox via Azure.
Test your SSO Connection
Once you configured your SAML Application settings and assigned users or groups to Checkbox, you can now test your SSO connection. On Checkbox, go to step 4. Test Connection of the SSO configuration menu and click Test SSO Connection.
If everything has been configured correctly, you should be presented with a success message. If you had an error, please double-check your settings above, or contact our support team.
Once you have successfully configured and tested your SSO connection, you can enforce SSO for all users or just those users that match the registered domains.