This article describes how to enable Single-Sign On (SSO) using a SAML 2.0 connection with Okta as an Identity Provider (IdP).

If you would like to integrate Worksphere with Okta, please reach out to support@worksphere.co


Instructions


  1. From the Okta Applications tab, choose Add Application
  2. Choose Create New App


  3. Choose the Web platform and SAML 2.0


  4. Enter the settings below in the General section. Replace YOUR-COMPANY with your company name (only A-Z and hyphens allowed) in lower case.  For example, “Acme Incorporated” becomes acme-incorporated

    • App Name: Worksphere
    • Logo: A logo file is available from https://www.worksphere.co/wp-content/uploads/2020/12/Worksphere_Logo_Normal-01-025.png
    •  Single sign on URL: https://login.worksphere.co/login/callback?connection=YOUR-COMPANY-saml-v1
    • Audience URI (SP Entity ID): urn:auth0:worksphere-prod:YOUR-COMPANY-saml-v1
    • Default RelayState: Leave blank
    • Name ID format, Application username, Update application username: Leave the default values



  5. In the General section add the following mappings:
    • email | user.email
    • email_verified | true
    • given_name | user.firstName
    • family_name | user.lastName
    • name | user.fullName
    • nickname | user.nickName
    • picture | If your organization has a profile/avatar image URL field set up in Okta, include the field name here. The URL needs to be reachable from the public internet. (If you do not have pictures, skip this mapping.)

  6. In the Group Attributes Statements section, leave any additional mappings empty/blank.

  7. Press Next

  8. Select “I’m an Okta customer adding an internal app” and leave the remainder set to the default values.
  9. From the Settings screen press View Setup Instructions

You will need to send the information from this screen to your account representative at Worksphere. The Worksphere team will use this information to set up the SAML connection within Worksphere so that it is ready for use.

This action needs to be done by the Worksphere team, and is not self-service.

Copy the Identity Provider Single Sign-On URL from the instructions and press Download certificate on the X.509 Certificate. Send both to your account representative. Also include the Single sign on URL and Audience URI used in Step 4.


Next Steps


The Worksphere team will let you know once the connection has been set up and is ready for testing.

IMPORTANT: It is recommended to only enable the app for Okta accounts that will be used in testing the SAML connection.

Only after the connection has been tested end-to-end should it be enabled in Okta for other users or groups.