Skip to main content

Implement SSO and User Provisioning through Okta

 

Eptura Knowledge Center

Implement SSO and User Provisioning through Okta

Setting up Okta in a single location


Step 1: Add an application

Log into Okta. Go to Admin > Applications.

image.png

Click on Add application.

image (1).png

Search for Proxyclick and click on Add.

image (2).png

Go to the Proxyclick Marketplace and install Okta.

Copy the Company ID from the Okta configuration page in Proxyclick and paste it in the Company Id on Okta.

image (3).png

You do not need to check the 2 boxes next to Application Visibility. Click on Next.

image (4).png

Click on Next (we will activate user provisioning later).

image (5).png

This step is optional. Click on Next.

Click on Done.

Step 2: Configure Single Sign-on (SSO) based on SAML 2.0

Open the Proxyclick app in Admin > Applications and go to the Sign On tab.

image (6).png

Click on Edit.

image (7).png

Select Email for Application username format and click on Save.

Click on View Setup Instructions.

image (8).png

Copy the IDP Issuer/Entity ID, the Login URL/SignOn URL, and the x.509 Certificate (including the BEGIN and END header and footer).

Paste the information copied from Okta in the Okta configuration page in Proxyclick.

image (9).png

Paste the 3 values copied from Okta and click on Save changes.

Your Okta connection is ready. You can now use the URL in the Login URL/SignOn URL field to log into Proxyclick using Okta SSO or log into Okta as a user and choose the Proxyclick app. But you will still need to add users in Proxyclick before you try to log in with SSO (you can do it manually, in bulk or via User Provisioning. See the next steps to configure User Provisioning with Okta).

Step 3: Configure user provisioning

Open the Proxyclick app in Admin > Applications and go to the Provisioning tab.
image (10).png

Click on Enable Provisioning.

image (11).png

Check the box Enable provisioning features.

image (12).png

If you didn’t do it already, go to the Proxyclick Integrations and install Okta.

Then go to the Okta configuration page in Proxyclick and copy the Base URL and the API Token to paste them in Okta.

image (13).png

Scroll down to enable the provisioning feature(s) you want to use.

Feature User Import

image (14).png

Select your preferred period in the Schedule import list if you want to activate the user import. Leave the other parameter to their default.

Feature Create Users

image (15).png

Check the box Enable to activate the creation of the user in Proxyclick when the user is assigned to the Proxyclick app.

Feature Update User Attributes

image (16).png

Check the box Enable to update the user profile in Proxyclick when the user info is updated in Okta.

Feature Deactivate Users

image (17).png

Check the box Enable to delete the user in Proxyclick when the user is unassigned from the Proxyclick app or when the user is deactivated in Okta.

Click on Save.

Sending Additional Attributes:

If you need to submit additional User Attributes which are not provisioned by default, such as a City or Office code to be used for filtering users to multiple locations (see next section), you may do so via the Okta portal.

City:

To correctly configure the City value for your users to control which location(s) they are added to, edit the app profile you created above and add a new attribute mapping for the City value using the Profile Editor.

image (18).png

Select "Add Attribute"

image (19).png

The Data Type must be "String." Use "addresses.^[primary==true].locality" without the quotes as the External Name, and "urn:scim:schemas:core:1.0" for the External Namespace. You may set the Display Name, Variable Name, and Description according to your internal conventions.

image (20).png

Once you have saved the attribute, click the Edit Mappings button.

image (21).png

Select the source user attribute to send and link it to the application Attribute set in the previous step.

image (22).png

Save the Mappings, and you are ready to submit users to multiple locations via filtering. Make sure to set up the corresponding filters in Proxyclick before attempting to Provision your users (see next section).

Setting up Okta in many locations

User Provisioning

You can configure Okta and manage users across multiple locations from a single Proxyclick account.

  1. Connect Okta in your main location (follow the steps above)

  2. Click on Multi-location mapping on the Okta integration in your Integration List

image (23).png

Important to note: If you do not see the Multi-location mapping button, then it means you are running on an older version of our Okta integration. All you have to do is disconnect the integration and then reconnect it before continuing with the remaining steps.

You will then see the list of all the locations for which you’re an Admin. You can enable/disable User Provisioning for each location from this list using the toggle button.
Once enabled, you will be able to either import all users for provisioning in that location or define your own filters for specific users.

image (24).png

You can filter users based on their city and language using the appropriate conditions for each.

image (25).png

Setting Home Location for users provisioned in multiple locations:

In the event that your provisioning allows users access to multiple locations, you can use the “Advanced” link to open an additional filtering view. Use this view to define which users provisioned to the select Location will then treat that location as Home. Home Locations are used as the landing location if using Single Sign-On, and any visit created using the generic Calendar integration will be registered. The filters in the Advanced panel work identically to those in the main view.

image (26).png

Single Sign-On

Regarding Single Sign-On (SSO), you have two options:

Option 1 is to set up SSO for every location (follow Step 2 described above for every location). Users with access to x locations will then see x Proxyclick icons (1 per location).

Option 2 is to set up only 1 SSO link that works for every user. All users see only one Proxyclick icon that leads every user to her home location (can be different per user). Here are the steps to follow in order to set up option two

  • On all applications you created in Okta for User Provisioning, please check the option “Do not display application icon to users”

  • Create one additional application in Okta and activate Steps 1 and 2 above (SSO). This application will not correspond to any physical office but only exists to manage SSO at the global level. Do NOT provision users in this application. For this application, please leave “Do not display application icon to users” unchecked.

  • Send the following 3 elements to support@proxyclick.com: IDP Issuer/Entity ID, the Login URL/SignOn URL and the x.509 Certificate

  • We will then create a so-called “landing location”: a Proxyclick location with the SSO certificate you just sent but without users. Once set up, users will only see one Proxyclick icon leading to the landing location. They will then be immediately routed to their home location. From a user perspective, they will immediately land in their real home location (they do not notice they first log in the landing location)

Okta User Provisioning and Single Sign On require the add on to your subscription.