Set up an SAML SSO with Okta

  • Updated

You can set up an SAML SSO on the platform with Okta.

The general process is as follows:

  1. add a custom URL to your platform;
  2. request the metadata URL;
  3. create an SAML custom app in Okta;
  4. send us the Okta setup instructions;
  5. wait for the green light.

1. Add a custom URL to your platform

See Customize the platform URL and keep « .360learning.com ».

In the following steps, we will call subdomain the part you before « .360learning.com ».

Example:

  • In https://acme.360learning.com/home, the subdomain is « acme ».

2. Request the metadata URL

Once you’ve added a custom URL to your platform, send an email to your CSP or SA to request the metadata URL.

We will send you back a metadata URL, that looks like this:

  • https://app.360learning.com/api/sso/saml/acme/metadata

Notice the acme part towards the end of the URL. In Okta terms, this is called the SP Entity ID, and will be needed to set up the application in Okta. In most cases, it will be identical to the subdomain.

Copy it somewhere, we’ll need it later.

3. Create an SAML custom app in Okta

Once you’ve received the metadata URL, create a new custom app in Okta.

  1. Go to the Okta admin dashboard (the URL should look like XXX-admin.okta.com/admin/dashboard)
  2. In the left panel, click Applications>Applications
  3. On the top, click Create App Integration
  4. Select SAML 2.0
  5. On the bottom right, click Next

3.1 General Settings

  1. In App name, enter the name for the app (for example: « 360Learning »)
  2. On the bottom right, click Next

3.2 Configure SAML

  1. In Single sign on URL, enter https://app.360learning.com/api/sso/saml/<SP-entity-ID>/postResponse
    • Replace <SP-entity-ID> with the SP entity ID you copied from step 2.
    • You can also find the exact URL by opening the metadata URL from step 2, and look for the URL containing /postResponse at the end

      Image_2021-09-21_at_9.05.25_AM.jpg

  2. In Audience URI, enter "https://app.360learning.com/"
  3. In Name ID format, select EmailAddress
  4. In Attribute Statements (optional), add the following statements
    • Name: givenname / Value: user.firstName
    • Name: surname / Value: user.lastName
    • Name: emailaddress / Value: user.email

      Image_2021-09-10_at_12.21.19_PM.jpg
  5. On the bottom right, click Next

You can edit the other optional fields, if you know what you’re doing.

3.3 Feedback

Choose either option, then click Finish on the bottom right.

4. Send us the Okta setup instructions

Once you’ve created the custom app in Okta, send an email to your CSP or SA, with the Okta setup instructions, as well as the group ID on which you wish to use SSO, your choice on forced/mixed SSO, and user provisioning rules. The following sections detail each of those items.

4.1 Copy Okta setup instructions

When you’ve created the new application, Okta generates setup instructions, that allow us to connect them to your platform.

  1. Go to the Okta admin dashboard (the URL should look like XXX-admin.okta.com/admin/dashboard)
  2. In the left panel, click Applications>Applications
  3. Click on the application created in the previous section
  4. On the top, click the section Sign On
  5. In the yellow section, click View Setup Instructions
  6. Copy and paste each field into the email for your CSP
    • Identity Provider Single Sign-On URL;
    • Identity Provider Issuer;
    • X.509 Certificate (you can also click Download certificate, and send us the zipped .cert file);
    • IDP metadata (copy everything; it is many lines long).

4.2 Find the group ID

You can set up SSO on the whole platform, or a specific group.

See Find the ID of a group. If you wish to activate SSO on the whole platform, get the ID of the platform group.

4.3 Choose between forced and mixed SSO

See Choose between forced and mixed SSO.

4.4 Choose the user provisioning rules

You can choose to activate or not user provisioning.

user provisioning: true

Authorized users who do not have an account on 360Learning when they first connect to the platform, are created an account on the fly, with first and last name corresponding to the values user.firstName and user.lastName in Okta. The user will be created as a learner in the group where the SSO is configured (from step 4.2).

You can see the list of authorized users in the Okta administration dashboard, in Applications>Applications>360Learning>Assignments.

user provisioning: false

Authorized users who do not have an account on 360Learning will be able to connect to the platform only after you invite them, or create an account for them.

You can see the list of authorized users in the Okta administration dashboard, in Applications>Applications>360Learning>Assignments.

4.5 Send all the info in an email

Check that the email contains all the following info:

    • Identity Provider Single Sign-On URL;
    • Identity Provider Issuer;
    • X.509 Certificate (you can also click Download certificate, and send us the zipped .cert file);
    • IDP metadata (copy everything; it is many lines long);
    • Group ID on which SSO should be enabled;
    • SSO type: forced or mixed;
    • User provisioning rule: yes or no.

5. Wait for the green light

Once you’ve sent all the info to your CSP or SA, wait for a confirmation email that the SSO is activated on our side.

When we give you the green light, the SSO will be automatically be activated on your platform.

Check out our blog for more L&D resources.