Single Sign-On & OKTA

This article will help Administrators set up SSO with the help of OKTA

What is Single Sign-On?

  • Single Sign-On is an authentication system that enables users to securely log in to multiple independent software systems by logging in only once into a managed authentication system. This means your users need to remember only one user ID and password but without any risk to your security.

  • The managed authentication system is called Identity Provider (or IdP, for example, G-Suite, Okta) and the applications that rely on this Identity Provider are called Service Providers

  • Setting up SSO for your Outplay account ensures that your employees can log in to Outplay using an identity provider of your choice, such as G-Suite, and not have to create another login ID and password separately.

 

What is SAML? How does SAML work?

SAML is a very widely used XML-based authentication framework to securely exchange information between an Identity Provider (like Okta) and Service Provider (like Outplay). As part of this setup,

  • The Service Provider trusts the Identity Provider (IdP) to verify the user’s authentication

  • The Identity Provider, on successful authentication, exchanges the user’s identity via a digitally signed authentication assertion with the Service Provider (SP) enabling a seamless login for the user.

In short, SAML is a standard security protocol that enables IdPs to securely let SPs like Outplay know whether you are you.

 

Here is a list of some common terminologies you may encounter when trying to set up SAML SSO for Outplay:

  • Service Provider (SP) Entity ID: This is the entity providing the service or web application. In our case, the SP is Outplay.

  • Identity Provider type (IdP): This is the entity that is capable of authenticating the user’s identity. Popular IdPs are Azure AD, G-Suite, Okta, and OneLogin.

  • SAML Request: Also known as the authentication request. When a user tries to log in using SSO, the service provider generates this request to the identity provider.

  • SAML Response: The identity provider is responsible for generating the SAML response in XML format which contains the details of the user whose authentication is validated by the IdP. SAML Response is constructed by the IdP based on the mutually pre-configured information for a given SP. Once an SP receives the SAML response, it is the SP's responsibility to validate the response generated by the appropriate IdP and then parse the user's identity information embedded in the SAML response.

  • ACS URL: This is the public endpoint from the SP side that IdP will post the SAML Response to.

SAML SSO URL or Login URL: This is the public endpoint from the IdP side that the SP will send the SAML Request to.

 

Prerequisites - As Outplay provides SSO through OKTA, we would need to create an application within Okta as Outplay and then add the details required as per the steps mentioned below.

  1. The users need to have Okta tenants with admin rights.

  2. The user needs to have an Outplay Account with admin rights.

Adding Outplay to Okta

For the applications to communicate with each other, we would need to follow the below-mentioned steps.

  1. Log in to your Okta admin account

  2. Go to Applications.

  3. Click on “create App Integration”.

     

    SSO-1
  4. Choose “SAML 2.0” & click Next.

    SSO-2

     

     

  5. Add the Outplay logo and name as shown below -

    SSO-3

  6. Add the “Single Sign-On URL” as “https://outplayhq.com”.

  7. Add the Audience URL ( SP Entity ID ) value as outplayhq, and click next, we will come back to this section after configuring other settings.

     

    SSO-4

     

  8. In the next section, choose “I’m an Okta customer adding an internal app” & “This is an internal app we have created”, and select the toggle, click finish as per the screenshot,

    SSO-5

     

     

  9. Now the application will be created and you will be redirected to the application page. Click on the “Sign On“ tab. Under the “View Setup Instructions“ button, you will see the “Identity Provider metadata“ link. Copy this link’s address.

    SSO-6

    This is your metadata URL, we will use this URL to configure Okta inside Outplay.

  10. Now log in to your Outplay account. Navigate to the “Settings” --> “Org Settings” page and click on the “Single Sign-on” tab.

    SSO-7

  11. Click on “Add Identity Provider“. Fill in the provider name. Choose the “Provider Type“ as “Okta“ and fill the “Metadata URL” value with the URL that you copied before, screenshot is attached below.

    SSO-8

  12. After clicking on “Save”, the identity provider will be added to your identity provider list. Click on the identity provider row to see its details. It will open a popup window such as shown below.

    SSO-9

  13. Now navigate back to the Okta application screen.

  14. Under the “General“ tab click on “Edit“ on the “SAML Settings“ section. Copy the value of “Assertion Consumer Service (ACS) URL“ from the identity provider details popup in Outplay and paste it in the “Single sign-on URL“ field in Okta.

  15. Similarly, copy the value of “Service Provider Entity ID / Audience URL“ from the identity provider details popup in Outplay and paste it in the “Audience URI (SP Entity ID)“ filed in Okta.

  16. Save the settings within Okta.

    SSO-10

     
  17. Now navigate back to Outplay, and you will see the identity provider prompt.

  18. Click on the “Enable“ toggle box of the newly added identity provider. It will ask for a confirmation, click on “Enable“ to proceed.

Note:- You can add multiple identity providers to your account but at any moment only one provider can be enabled for Single Sign-on functionality.

User Assignment

Once Okta has been configured with Outplay. You would need to assign users to this application in Okta to let them use SSO with Outplay.

Steps as below -

  1. Log in to your Okta admin account

  2. Go to Applications and click on Outplay.

  3. Under the assignment tab, click on “Assign”.

  4. “Assign to People“ (or you can select the “Assign to Groups“ option if you have user groups) and choose the users that you want to assign to this application for login.

  5. Once you choose a person, you will be asked for the “User Name“ value, put the corresponding user’s Outplay login email address in this field, and save. Now the assigned users will be able to log in to Outplay through Okta.

    SSO-11

     

SSO Deactivation

To deactivate Okta SSO login in Outplay.

  1. Go to “Settings“-->“Org Settings“--> “Single Sign-on“.

  2. Disable the identity provider from the list (additionally, you can deactivate the Outplay app in Okta as well).

  3. Once the SSO is disabled, users will no longer be able to log in via Okta.

  4. They need to reset their password in the Outplay login screen and then they will be able to log in with their new password.