Okta SSO
The End-User experience
- The user will enter their username as usual in the logon prompt.
- After clicking the logon button, they will be redirected to Okta to perform all authentication.
- When the user successfully completes authentication via the Okta website, they will be redirected and logged into the SchoolFi or the Employee Portal.
Buzz words
- Okta - Provides Single-Signon Authentication to other applications as a service.
- OIDC – OpenID Connect. This is the protocol/standard that is used by SchoolFi to communicate with Okta to hand off the Multi-Factor Authentication process. OIDC is an extension of the OAuth 2 protocol that defines the mechanisms for authentication.
- https://openid.net/connect/
- OAuth 2.0 – OAuth 2.0 is the industry-standard protocol for authorization. https://oauth.net/2/
Setup Process Overview
- Create the SchoolFi and SchoolFi Employee Portal Applications in Okta
- Configure SchoolFi to use the Okta SSO applications as OIDC Providers.
- Setup SchoolFi for SSO
- Set up individual Users and/or Employee Portal users to use the Okta SSO.
Create/protect SchoolFi and SchoolFi Employee Portal Applications in Okta
The following steps will not affect users logging into SchoolFi or the Employee Portal. These instructions are generated from the developer portal. This process might be different for their end-user application.
The developer portal is at https://developer.okta.com
- Log into Okta as an administrator.
- Applications -> Applications -> Create App Integration
- Choose OIDC Radio button
- Application Type: Web Application
- Grant Type: Authorization Code
- Sign-in redirect URIs - (Test URL https://genesis.forge-tech.com/backoffice/auth/v1/code ) TODO: Change this to a good test URL
- Sign-out redirect URIs: TODO Leave blank for now
Configure SchoolFi to use the Okta SSO applications as OIDC Providers.
Create the SchoolFI SSO Provider
The following steps will not affect users logging into SchoolFi or the Employee Portal.
- Log into SchoolFi as an Administrator
- Go to the System -> Security -> Single Sign-on / MFA -> Providers screen.
- Click the Add Provider button.
- Code: OKTA_SSO (or OKA_MFA_PORTAL for the Employee Portal Setup)
- Provider: Okta
- Description: Okta SSO
- Type: Single Sign-on
- Client Id: Copy and paste these fields from the Schoolfi application setup screen in the Okta portal
- Client Secret: Copy and paste these fields from the Schoolfi application setup screen in the okta portal.
- Click the Add button
- On the modified OKTA_SSO page, make the following changes:
- Click the SchoolFi checkbox (leave the Employee Portal Unchecked.. do the opposite if you are setting up the Employee Portal Application)
- Change the DNS name in the URL End point from https://CHANGEME.okta.comto the base URL in the Security → API screen in OKTA.
- You will see this: https://dev-123456789.okta.com/oauth2/default / you only want to place the https://dev-123456789.okta.com into the URL End Point field
- Click the Save button to save the changes
Repeat the steps above for the Employee Portal application.
Configuring SchoolFi Users to use okta for SSO
Choose a user from the System -> Security -> Users screen to test the MFA with Okta.
Do not choose the user you are currently logged in as, you do not want to accidentally lock yourself out of the system if the feature is not setup correct.
Change the SSO Provider drop-down to the Okta option and click save.
The Single Sign-on ID field should now display a warning if there is no value. This must match the username or one if it’s aliases as it appears in the okta Users screen.
Using a different browser (or log out of your current session); attempt to login as this user.
Configuring Employee Portal Users to use Okta for SSO
Choose an employee portal user to test the SSO with Okta from the Setup-> Employee Portal -> Users screen.
Do not choose the user you are currently logged in as, you do not want to accidentally lock yourself out of the system if the feature is not setup correct.
Change the MFA Provider drop-down to the Okta SSO option and click save.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article