Okta SSO/OIDC Guide

한국어 버전: https://blog.selectfromuser.com/ko-okta

Select Admin have the ability to configure an Identity Provider to enable Single Sign On (SSO). This article shows how to configure Okta as the primary Identity Provider to faciliate SSO with the Select Admin application for each subdomains.

Supported features
Configuration steps
Role mapping with Okta Group Claims
IdP-initiated SSO
Troubleshoot

Supported features

SP-initiated SSO (Single Sign-On, your-subdomain.selectfromuser.com/?iss=1 Example Link)
IdP-initiated SSO (through Third-party Initiated Login)
Just-In-Time provisioning

Requirements

Admin user who can access to SelectAdmin page.
Okta administrator
Select Platform: Business plan or higher with a paid add-on subscription.

Configuration steps

(Subject to change)
Okta admin page > Applications > Browse App > Select Admin

App requires "Select Domain" you can find domain from address bar.

In here, Select Domain is hello-okta.selectfromuser.com (please omit prefix "https://")

[1] Gather information from Okta

In the Okta admin page, click on the SelectAdmin application and then navigate to the Sign On tab
Copy the values of Client ID and Client secret (click the eye button to toggle the visibility)
There should be a section that has a link titled OpenID Provider Metadata. Click this link. In the JSON document shown, look for a key titled “issuer” and copy the URL-value

[2] Submit the information to SelectAdmin

In the SelectAdmin page, move to Settings > Security and then click 'Activate' button on the section "OIDC (Okta)"
Paste your values of Client ID, Client secret, Issuer URL (make sure add a postfix /oauth or /oauth/default depends on custom authorization server name) into the form
Open page YOUR_SUBDOMAIN.selectfromuser.com and there should be a new Okta button to continue SSO.

Role mapping with Okta Group Claims

Security > API > Authorization Servers > choose your server (default)

Create a new scope: If not set ever, In the Add scope form, Name should be groups
Create a new claim: In the Add claim form, select ID Token and Always in the dropdown. In the Value type section, select Groups. You can add an optional Filter to limit the groups to sync. (Please filter with prefix, but you can still use .* for all groups)
Enable Group mapping: In the SelectAdmin page, move to Settings > Security and then you can turn on option.
Specify group and roles mappings: Left(group name) is from Okta and Right(admin role) is from SelectAdmin.

Test your account and roles, then turn on Force SSO

IdP-initiated SSO

Users can access SelectAdmin app on the Okta dashboard or browser plugin to sign in by clicking

Troubleshoot

Please contact us with chat or at Slack community.

/logout force sign out
Without group sync, new user will be created but has no access to the team.
Without group sync, same email users are only accessible from Okta.
With group sync, mapping of 'Everyone' to 'Viewer' allows all employees can access with no extra grant.
With group sync, role update are logged by cloud.
Since SelectAdmin do not cache or save groups names from your Okta, there is no validation for group name misspells.
For any reason, by request of non-verified admin, we cannot turn off any security option instead of owner.

Contents