Note:This article provides steps on how to initially set up Okta's SSO solution with Simpplr. For information on how to sync attributes from Okta to Simpplr, click here.
Table of Contents
Add the Salesforce Application in Okta
- Log in to Okta with Admin credentials and click on the Admin button in the top left to open the admin console panel.
- Navigate to Applications > Applications. Then click Add Application.
- Search for Salesforce.com and select it from the list of results. Click Add.
- Give the Application name (not compulsory) and click Next.
- In the Custom Domain field, add your company domain. For example, if your url is https://simpplr.my.salesforce.com, input simpplr to the Custom Domain field.
- From the next tab Sign-on options, select SAML 2.0 and click Identity Provider Metadata to download the IDP file.
- In Sign-on options, enter the Login URL. This is you domain URL in Salesforce. It should look similar to https://mydomain.my.salesforce.com (replace mydomain with your custom domain name).
- Select the Application username format as per your requirement or leave this as Okta Username. You can also select custom with expression. for example, user.email+'.simpplr'. Once finished, click Done.
Enable and Deploy My Domain on your Salesforce Org
The Salesforce My Domain feature allows you to select a custom domain name for your application. A My Domain URL looks like https://customer.my.salesforce.com.
- In your Salesforce Org, click Setup. Then in the Quick Find box, type My Domain. Choose My Domain from the results.
- Type in your requested domain name and click Check Availability. If your name is already taken, choose a different one.
- Click Save.
Configure SAML 2.0 in Salesforce
- Log in to Salesforce with the same administrator username and password used for User.
Management settings in Okta.
- Navigate to Setup and type Single sign on into the Quick Find Box. then choose Single Sign-On Settings.
- Click Edit and check the SAML Enabled box, then click Save.
- In the list at the bottom of the page, select New to add a new SAML Single Sign-On configuration.
- A new page will open. Choose New from Metadata File and upload the file you created in Okta. then click Create.
- Once complete, click Save. Make a note of the Salesforce Login URL that will appear after you save.
- Create an administrator account in Salesforce. You will use this account’s username and password to configure the Salesforce app in Okta. When you create an administrator account, Salesforce will provide you with a token.
Note:Every time you reset this account’s password, Salesforce will provide you with a new token, and you need to edit the Salesforce app’s Provisioning settings in Okta using the new password/token as described below.
- Click Configure API Integration.
- Check the Enable API Integration box and enter the username, password and token associated with your Salesforce Admin account.
Note:Simply append the token Salesforce provided to you to your password, no spaces or other characters.
- Once input, click Test API Credentials. If successful, a verification message appears at the top of the screen. Select To App in the left panel, then Provisioning Features you want to enable.
Note:As part of provisioning each new portal user, Okta creates a new contact in Salesforce associated with the account you specify in the AccountIDfield. This new contact contains the user's name and email address. This contact is necessary because Portal users in Salesforce must be associated with a contact.
Select parameters such as Create user, Update User Attributes, Deactivate Users, and Sync Password.
- In Sync Password, select password type such as Sync Okta Password.
Note:Okta recommends managing users completely from Okta, which is why we're selecting all the parameters above.
- Select To Okta in the left panel change Okta username format to Email address or Okta Username as per your configuration.
- Click Save. You can now assign people to the app (if needed) and finish the application setup.
Control User Access
If you don't populate timezones for your users in Okta, the timezone will be set to Pacific time by default within Salesforce.
Create two groups in Okta or Active Directory (if you are syncing groups from Active Directory). The group name should be similar to Simpplr_User and Simpplr_Admin. You'll use these groups to control user access on Simpplr.
- Log in to the Okta Admin page.
- Navigate to Application > Application and search for your Salesforce org. In the results, click the Application name.
- Click on Assignments, then Assign on the left side of the screen. Choose Assign to Group.
- Select the group(s) to which the application needs to be assigned.
- On assigning app to the group, scroll down and then assign the Profile, Role (Optional) and Permission sets from the same window.
- For Simpplr_Admin select profile as System Administrator and for Simpplr_User select profile as Simpplr User. In both cases, it is mandatory to select the permission sets, i.e. Simpplr_User.
- Click Save.