Note:This article provides steps on how to initially set up Okta's SSO solution with Simpplr. For information on how to sync attributes from Okta to Simpplr, click here.
Table of Contents
Add the Salesforce Application in Okta
- Log in to Okta with Admin credentials and click on the Admin button in the top left to open the admin console panel.
- Navigate to Applications > Applications. Then click Add Application.
- Search for Salesforce.com and select it from the list of results. Click Add.
- Give the Application name (not compulsory) and click Next.
- In the Custom Domain field, add your company domain. For example, if your url is https://simpplr.my.salesforce.com, input simpplr to the Custom Domain field.
- From the next tab Sign-on options, select SAML 2.0.
- In the Default Relay State field, enter your Simpplr app's url.
- Scroll down to the SAML 2.0 login instructions. Right click on the Identity Provider metadata and click Save link as (MacOS users will show slightly different options here). Save the link to your computer.
- In Login URL, enter the Login URL. This is you domain URL in Salesforce. It should look similar to https://mydomain.my.salesforce.com (replace mydomain with your custom domain name).
- In Credentials Details, select the Application username format as Custom. In the given field, add the expression: user.email+'.simpplr' (this is used to make the username unique). Once finished, click Done.
Enable and Deploy My Domain on your Salesforce Org
The Salesforce My Domain feature allows you to select a custom domain name for your application. A My Domain URL looks like https://customer.my.salesforce.com.
- In your Salesforce Org, click Setup. Then in the Quick Find box, type My Domain. Choose My Domain from the results.
- Type in your requested domain name and click Check Availability. If your name is already taken, choose a different one.
- Click Save.
Configure SAML 2.0 in Salesforce
- Log in to Salesforce with the same administrator username and password used for User Management settings in Okta.
- Navigate to Setup and type Single sign on into the Quick Find Box. Then choose Single Sign-On Settings.
- Click Edit and check the SAML Enabled box, then click Save.
- In the list at the bottom of the page, select New to add a new SAML Single Sign-On configuration.
- A new page will open. Choose New from Metadata File and upload the file you created in Okta. Then click Create.
- In the Quick Find box to the left, type in My Domain and click.
- From here, scroll down to Authentication Configuration and click Edit.
- In the Authentication Service section, by default, Login Form is checked. Uncheck it and choose the unique Okta value that is showing. Then click Save.
Now you need a token for Provisioning. Scroll to the upper right corner and click on the dropdown, which will show the name of the account through which we are logged in. Click My Settings.
- From the Quick find box, type in Reset and choose Reset Security Token. The new token will be sent to the email address the admin account is tied to.
- Create an administrator account in Salesforce. You will use this account’s username and password to configure the Salesforce app in Okta. When you create an administrator account, Salesforce will provide you with a token.
Note:Every time you reset this account’s password, Salesforce will provide you with a new token, and you need to edit the Salesforce app’s Provisioning settings in Okta using the new password/token as described below.
- Click Configure API Integration.
- Check the Enable API Integration box and enter the username, password and token associated with your Salesforce Admin account.
Note:Simply append the token Salesforce provided to you to your password, no spaces or other characters.
- Once input, click Test API Credentials. If successful, a verification message appears at the top of the screen. Select To App in the left panel, then Provisioning Features you want to enable.
Note:As part of provisioning each new portal user, Okta creates a new contact in Salesforce associated with the account you specify in the AccountIDfield. This new contact contains the user's name and email address. This contact is necessary because Portal users in Salesforce must be associated with a contact.
Select parameters such as Create user, Update User Attributes, Deactivate Users, and Sync Password.
- In Sync Password, select password type such as Sync Okta Password.
Note:Okta recommends managing users completely from Okta, which is why we're selecting all the parameters above.
- Select To Okta in the left panel change Okta username format to Email address or Okta Username as per your configuration.
- Click Save. You can now assign people to the app (if needed) and finish the application setup.
Control User Access
If you don't populate timezones for your users in Okta, the timezone will be set to Pacific time by default within Salesforce.
Create two groups in Okta or Active Directory (if you are syncing groups from Active Directory). The group name should be similar to Simpplr_User and Simpplr_Admin. You'll use these groups to control user access on Simpplr.
- Log in to the Okta Admin page.
- Navigate to Application > Application and search for your Salesforce org. In the results, click the Application name.
- Click on Assignments, then Assign on the left side of the screen. Choose Assign to Groups.
- Search for the group called Simpplr Admins and click Assign.
Select the Profile System Administrator and select the Permission Sets that start with Simpplr (there are 3 in total). Once finished, click Save. Then go back.
- Search for the other group called Simpplr Users and click Assign.
Select the Profile Simpplr User and assign only the Permissions Simpplr_App_Managers and Simpplr_User. Then click Save and go back.
- Click Done. You should see something similar to the image below.