Single Sign-On (SSO) with Okta

This article outline how to configure Single Sign-On with Okta.

General documentation regarding SSO can be found here: Single Sign-On (SSO)

Prerequisites

  • Access to integration settings in Eletive
  • Appropriate access rights in Okta
Also note the Internet Explorer should NOT be used, use a modern and secure browser (e.g. Chrome). 

In Okta

  • Navigate to "Applications" in the menu
  • Click on "Create App Integration"
    • For "Sign-in method", select "OICD - OpenID Connect"
    • For "Application type", select "Single-Page Application"
    • Click "Next"
  • Under "General Settings"
    • Write a name in the "App Integration Name"-field
    • For "Grant type", also tick "Implicit (hybrid)"
    • For "Sign-in redirect URIs", remove/replace the default URI with "https://app.eletive.com/signin/openid"
    • For "Sign-out redirect URIs", remove. We do not have one in place
    • Note: Other fields may still be subject for further configuration. This an example of a basic configuration. 
  • Under "Assignments"
    • For "Controlled Access", select the appropriate access level depending on existing groups. If unsure select "Skip group assignment for now"
  • Press "Save"

Now your integration app has been configured in Okta. Under "Client Credentials" you can find the "Client ID" which will be used on the Eletive side. 

In Eletive

  • Start by navigating to "Setting -> Integrations" in Eletive
  • Select "Single Sign-On"
    • If it is not present, it needs to be activated in the features panel
    • Navigate to "Settings ->Features" activate "Integrations" and "Single Sign-On". After this Integrations will be visible under "Settings"  
  • In the "Choose provider" dropdown, select "Other, (OpenID)"
  • Add the "Well Known URL" and "ClientID" and press "Connect" in the dropdown as well
    • Well Known URL is: https://${yourOktaDomain}/.well-known/openid-configuration (replace "${yourOktaDomain}") with your Okta domain
    • Copy and paste "Client ID" from Okta 
  • Email field (optional field): it is possible to specify which field the id_token to use for authentication. Note that emails for Eletive users need to match email in the id_token field. 
  • Restrict Single Sign-On domains: it is possible to restrict Single Sing-On to specific domains or include all domains. Specific domains can be included or excluded depending on the use case. 
  • Press "Connect"
  • Test it by opening an incognito browser window and try to sign in to Eletive. This time Okta should be used for authentication, by being redirected to an Okta authentication window. 

Tip: When testing, stay logged in to your Eletive account in a separate tab, this way you can simply remove or reconfigure the SSO connection if needed when testing.