SAML SSO using Okta

Updated 5 months ago by Andrew White

atSpoke is excited to offer an integration with Okta. atSpoke's SAML integration relies on a user level token. To insure consistent delivery of SAML services, atSpoke best practices recommend using an admin service account such as IT@yourcompany.com to complete this integration.

Supported Features

The Okta/atSpoke (www.askspoke.com) SAML integration currently supports the following features:

  • SP-initiated SSO
  • IdP-initiated SSO
  • JIT (Just In Time) Provisioning

For more information on the listed features, visit the Okta Glossary.

For atSpoke-specific SAML best practices, make sure you read the Before you Begin section.

Before you begin 

  • Assign the app to yourself in Okta for testing first.
  • Only atSpoke Admins have the superpowers to enable SAML for the organization.
  • After SAML is enabled, all non-admin members in atSpoke must log in with SAML. Admins who have not setup a password will be prompted by a banner in the web app. Admins can still log in with a password as needed.
  • Because the SSO setup will log out all users and admins, it’s best to setup SAML when there are few users logged in. Whether it be before launch, or outside of business hours.
  • atSpoke offers just in time provisioning. This means that if a user logs into atSpoke for the first time using SSO, an account will automatically be created.

Configuration Steps

Log into atSpoke and navigate to the Integrations menu.

  1. Navigate to Settings
  2. Select the Integrations Menu
  3. Find the SAML tile and choose Connect

Copy the following fields from your Okta setup page into the atSpoke Settings/SAML Page.

  1. Sign on URL
  2. Issuer
  3. Public certificate
  4. Press Test SAML connection

Once the test is completed, you can push Enable SAML

Uncheck the checkbox if you don't want to email notifications of SAML being enabled to your team.

Notes

  • Make sure that you entered the correct value in the Subdomain field under the General tab in Okta. Using the wrong value will prevent you from authenticating via SAML to atSpoke.
  • The following SAML attributes are supported:

    • Name

      Value

      firstName

      user.firstName

      lastName

      user.lastName

      primaryEmail

      user.userName

      phoneNumber

      user.primaryPhone

SP-initiated SSO

  1. Go to: https://[your-subdomain].askspoke.com/login.
  2. Enter your email, then click the arrow icon:
  3. Click Log in with SSO:

How did we do?

Powered by HelpDocs (opens in a new tab)