Single Sign-On

Michael Julian
Updated

 

If you use a service that authenticates users, you can choose to allow single sign-on (SSO) into Oktopost. We support this feature using Security Assertion Markup Language (SAML) version 2.0 and higher.

Oktopost functions as a SAML Service Provider (SP), and depends on an external Identity Provider (IdP) to authenticate users. Once SSO is enabled, the IdP can validate a user's credentials. When a user wishes to use Oktopost, the IdP then sends a signed SAML message to Oktopost, acting as the SP. This message tells Oktopost that the user is authorized to use the software.

Note: users are provisioned manually by Oktopost and user permissions are maintained within Oktopost. A User on multiple Oktopost Accounts can only sign in with one SSO provider.

How to Setup Single Sign-on

First, go to Settings>Security>Single Sign On, enable SSO and enter your IDP credentials:

  1. SAML Endpoint - Your IDP SSO URL.
  2. Issuer URL - Your IDP Issuer URL.
  3. X.509 Certificate - Your IDP certificate, .pem, .cert, .cer and .crt are supported.

Click Save, and you're done.

How to Send a SAML Request

Once you configured the settings, send the SSO request, which is a SAML response, to:

https://app.oktopost.com/auth/acs

or for EU-hosted accounts:

https://eu-app.oktopost.com/auth/acs


Make sure to map the Name ID to the users' email address.

Sample Authentication Request    

Here's a sample request for an SP initiated flow: 

<?xml version="1.0"?>
<AuthnRequest xmlns="urn:oasis:names:tc:SAML:2.0:protocol"
              ID="_XXXX"
              Version="2.0"
              IssueInstant="2018-07-04T00:00:00Z"
              Destination="https://companyidp.com"
              ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
              AssertionConsumerServiceURL="https://app.oktopost.com/auth/acs">
  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://app.oktopost.com</saml:Issuer>
  <NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
                AllowCreate="true" />
</AuthnRequest>

Require Single Sign-On

You can force single sign-on for all Oktopost users including advocates. This feature extends to the advocacy mobile app once your advocates update it to version 2.3.5 or higher.

To force single sign-on, enable 'Require SSO' when you configure your single sign-on settings under Settings > Security > Single Sign-on.

Excluding users from SSO

You can choose to exclude some users from being required to log in using SSO. This can be helpful if you need to identify a person on your team who can log into Oktopost in the event your IDP service is down, or there are other issues preventing your team from logging in through SSO. 

 

To do this, the admin must add the users to the exclusion list.

Note: Only users who have already been invited to Oktopost or Board can be excluded. Additionally, if a user has access to both Oktopost and Board, they will be excluded from SSO for both applications; it is not possible to exclude them from one app but not the other.

Certifying SAML Requests

Oktopost supports certifying SAML requests for SSO providers that support this.  First, download the certificate from Settings > Security > Single Sign-on.  Then, mark the certificate as required in your SSO provider and upload the certificate. 

One SSO Provider Per Account

Oktopost supports only one SSO configuration per account, and each user can only authenticate through one SSO Identity Provider (IdP) at a time.

Related to

Was this article helpful?
0 out of 0 found this helpful