Note:This article provides steps on how to initially set up Okta's SSO solution with Simpplr. For information on how to sync attributes from Okta to Simpplr, click here.
Table of Contents
Add the Salesforce Application in Okta
- Log in to Okta with Admin credentials and click on the Admin button in the top right to open the admin console panel.
- Navigate to Applications > Applications. Then click Browse App Catalog.
- Search for Salesforce.com and select it from the list of results. Click Add integration.
- Set your Application label if you wish to change it from Salesforce.com and make sure Production is chosen in Instance Type.
- In the Custom Domain field, add your company domain. For example, if your url is https://simpplr.my.salesforce.com, input simpplr to the Custom Domain field.
- From the next tab Sign-on options, select SAML 2.0.
- In the Default Relay State field, enter your Simpplr app's url.
- Scroll down to the SAML 2.0 login instructions. Right click on the Identity Provider metadata and click Save link as (MacOS users will show slightly different options here). Save the link to your computer.
- In Login URL, enter the Login URL. This is your domain URL in Salesforce. It should look similar to https://mydomain.my.salesforce.com (replace mydomain with your custom domain name).
- In Credentials Details, select the Application username format as Custom. In the given field, add the expression: user.email+'.simpplr' (this is used to make the username unique). Once finished, click Done.
Enable and Deploy My Domain on your Salesforce Org
The Salesforce My Domain feature allows you to select a custom domain name for your application. A My Domain URL looks like https://customer.my.salesforce.com.
- In your Salesforce Org, click Setup. Then in the Quick Find box, type My Domain. Choose My Domain from the results.
- Type in your requested domain name and click Check Availability. If your name is already taken, choose a different one.
- Click Save.
Configure SAML 2.0 in Salesforce
- Log in to Salesforce with the same administrator username and password used for User Management settings in Okta.
- Navigate to Setup and type Single sign on into the Quick Find Box. Then choose Single Sign-On Settings.
- Click Edit and check the SAML Enabled box, then click Save.
- In the list at the bottom of the page, select New to add a new SAML Single Sign-On configuration.
- A new page will open. Choose New from Metadata File and upload the file you created in Okta. Then click Create.
- In the Quick Find box to the left, type in My Domain and click.
- From here, scroll down to Authentication Configuration and click Edit.
- In the Authentication Service section, by default, Login Form is checked. Uncheck it and choose the unique Okta value that is showing. Then click Save.
Now you need a token for Provisioning. Scroll to the upper right corner and click on the dropdown, which will show the name of the account through which we are logged in. Click My Settings.
- From the Quick find box, type in Reset and choose Reset Security Token. The new token will be sent to the email address the admin account is tied to.
- Create a new administrator account in Salesforce. This should be a service account, not tied to any one user's email address. You will use this account’s username and password to configure the Salesforce app in Okta. When you create an administrator account, Salesforce will provide you with a token.
Note:Every time you reset this account’s password, Salesforce will provide you with a new token, and you need to edit the Salesforce app’s Provisioning settings in Okta using the new password/token as described below.
- Click Configure API Integration.
Paste the token Salesforce provided to you to your password, no spaces or other characters.*
*Note:For newer Okta tenants, the Username and Password + Token fields have changed to OAuth Consumer Key: Consumer Key from your Salesforce OAuth settings and OAuth Consumer Secret: Consumer Secret from your Salesforce OAuth settings. For more on how to gather this information, complete the steps in this article.
- Once input, click Test API Credentials. If successful, a verification message appears at the top of the screen. Select To App in the left panel, then Provisioning Features you want to enable.
Select parameters such as Create user, Update User Attributes, and Deactivate Users.
Note:Okta recommends managing users completely from Okta, which is why we're selecting all the parameters above.
- Click Save. You can now assign people to the app (if needed) and finish the application setup.
Control User Access
If you don't populate timezones for your users in Okta, the timezone will be set to Pacific time by default within Salesforce.
Create two groups in Okta or Active Directory (if you are syncing groups from Active Directory). The group name should be similar to Simpplr_User and Simpplr_Admin. You'll use these groups to control user access on Simpplr.
- Log in to the Okta Admin page.
- Navigate to Application > Application and search for your Salesforce org. In the results, click the Application name.
- Click on Assignments, then Assign on the left side of the screen. Choose Assign to Groups.
- Search for the group called Simpplr Admins and click Assign.
Select the Profile System Administrator and select the Permission Sets that start with Simpplr (there are 3 in total). Once finished, click Save. Then go back.
- Search for the other group called Simpplr Users and click Assign.
Select the Profile Simpplr User and assign only the Permission Simpplr_User. Then click Save and go back.
- Click Done. You should see something similar to the image below.