Okta SSO

The End-User experience

1. The user will enter their username as usual in the logon prompt.
2. After clicking the logon button, they will be redirected to Okta to perform all authentication.
3. When the user successfully completes authentication via the Okta website, they will be redirected and logged into the SchoolFi or the Employee Portal.

Buzz words

• Okta - Provides Single-Signon Authentication to other applications as a service.
• OIDC – OpenID Connect.  This is the protocol/standard that is used by SchoolFi to communicate with Okta to hand off the Multi-Factor Authentication process.   OIDC is an extension of the OAuth 2 protocol that defines the mechanisms for authentication. 
• https://openid.net/connect/
• OAuth 2.0 – OAuth 2.0 is the industry-standard protocol for authorization.  https://oauth.net/2/

Setup Process Overview

• Create the SchoolFi and SchoolFi Employee Portal Applications in Okta
• Create a Claim on the Authorization Server in OKTA
• Configure SchoolFi to use the Okta SSO applications as OIDC Providers.
• Setup SchoolFi for SSO
• Set up individual Users and/or Employee Portal users to use the Okta SSO.

Create/protect SchoolFi and SchoolFi Employee Portal Applications in Okta

The following steps will not affect users logging into SchoolFi or the Employee Portal.  These instructions are generated from the integrator portal.   This process may differ for their end-user application.

The integrator portal is at https://integrator.okta.com

1. Log in to Okta as an administrator.
2. Applications -> Applications -> Create App Integration
3. Choose OIDC Radio button
4. Application Type: Web Application
5. Grant Type: Authorization Code
6. Sign-in redirect URIs - (Test URL https://staff.schoolfi.net/backoffice/auth/v1/code ) TODO: Change this to a good test URL
7. Sign-out redirect URIs:  Leave blank

Note: the Client ID and Client Secret will be used later on for Schoolfi.

Create a Claim on the Authorization Server in Okta

1. In Okta, go to Security -> API
2. Edit the default or authorization server that you will be using to authenticate with Schoolfi
3. Go to Claims -> Add Claim
   1. Name: okta_username
   2. Include in token type: ID Token and always
   3. Value Type: Expression
   4. Value: user.email
   5. Disable Claim: unchecked
   6. Include in: Any Scope

Configure SchoolFi to use the Okta SSO applications as OIDC Providers.

Create the SchoolFI SSO Provider

The following steps will not affect users logging into SchoolFi or the Employee Portal.

1. Log into SchoolFi as an Administrator
2. Go to the System -> Security -> Single Sign-on / MFA -> Providers screen.
3. Click the Add Provider button. 
   1. Code: OKTA_SSO (or OKA_MFA_PORTAL for the Employee Portal Setup)
   2. Provider: Okta
   3. Description: Okta SSO
   4. Type: Single Sign-on
   5. Client Id: Copy and paste these fields from the Schoolfi application setup screen in the Okta portal
   6. Client Secret: Copy and paste these fields from the Schoolfi application setup screen in the okta portal.
   7. Click the Add button
4. On the modified OKTA_SSO page, make the following changes: 
   1. Click the SchoolFi checkbox (leave the Employee Portal Unchecked.. do the opposite if you are setting up the Employee Portal Application)
   2. Change the DNS name in the URL End point from https://CHANGEME.okta.comto the base URL in the Security → API screen in OKTA. 
      1. You will see this: https://integrator-2701960.okta.com/oauth2/default. You only want to place https://integrator-2701960.okta.com/ into the OIDC Single Sign On Vendor End Points.
   3. Click the Save button to save the changes

Repeat the steps above for the Employee Portal application.

Configuring SchoolFi Users to use Okta for SSO

Choose a user from the System -> Security -> Users screen to test the MFA with Okta.

Do not choose the user you are currently logged in as, you do not want to accidentally lock yourself out of the system if the feature is not set up correctly.

Change the SSO Provider drop-down to the Okta option and click save.

The Single Sign-on ID field should now display a warning if there is no value.  This must match the username or one of its aliases as it appears in the Okta Users screen.

Using a different browser (or log out of your current session); attempt to login as this user.

Configuring Employee Portal Users to use Okta for SSO

Choose an employee portal user to test the SSO with Okta from the Setup-> Employee Portal -> Users screen.

Do not choose the user you are currently logged in as, you do not want to accidentally lock yourself out of the system if the feature is not set up correctly.

Change the MFA Provider drop-down to the Okta SSO option and click save.