SAML SSO using Okta
askSpoke is excited to offer an integration with Okta. askSpoke's SAML integration relies on a user level token. To insure consistent delivery of SAML services, askSpoke best practices recommend using an admin service account such as IT@yourcompany.com to complete this integration.
The Okta/askSpoke (www.askspoke.com) SAML integration currently supports the following features:
- SP-initiated SSO
- IdP-initiated SSO
- JIT (Just In Time) Provisioning
For more information on the listed features, visit the Okta Glossary.
For askSpoke-specific SAML best practices, make sure you read the Before you Begin section.
Before you begin
- Assign the app to yourself in Okta for testing first.
- Only askSpoke Admins have the superpowers to enable SAML for the organization.
- After SAML is enabled, all non-admin members in askSpoke must log in with SAML. Admins who have not setup a password will be prompted by a banner in the web app. Admins can still log in with a password as needed.
- Because the SSO setup will log out all users and admins, it’s best to setup SAML when there are few users logged in. Whether it be before launch, or outside of business hours.
- askSpoke offers just in time provisioning. This means that if a user logs into askSpoke for the first time using SSO, an account will automatically be created.
Log into askSpoke and navigate to the Integrations menu.
- Navigate to Settings
- Select the Integrations Menu
- Find the SAML tile and choose Connect
Copy the following fields from your Okta setup page into the askSpoke Settings/SAML Page.
- Sign on URL
- Public certificate
- Press Test SAML connection
Once the test is completed, you can push Enable SAML
- Make sure that you entered the correct value in the Subdomain field under the General tab in Okta. Using the wrong value will prevent you from authenticating via SAML to askSpoke.
- The following SAML attributes are supported:
- Go to: https://[your-subdomain].askspoke.com/login.
- Enter your email, then click the arrow icon:
- Click Log in with SSO: