With Okta SSO, your IT teams can manage employee accounts through their Okta login credentials, and your employees will be able to save time by logging into the Firstbase platform quickly with their existing Okta credentials.
Today we support SSO through a protocol called “OpenID Connect” (OIDC) or through SAML (Security Assertion Markup Language).
1. OpenID Connect (OIDC)
To set up Okta as an Identity Provider (IdP), a web application needs to be created that users belong to so they can log into the Firstbase platform.
Note: For SSO to work, all users that need to log into Firstbase MUST be assigned to this newly-created application.
In addition, an IdP number from Firstbase is required for configuration. Please contact your CSM to get this IdP number to get started.
Steps to configure:
- [ ] Create a new Web application by selecting in Okta: Applications > Create App Integration.
- [ ] Use 'OpenID Connect' as the sign-in method > > Select 'Web' as the platform > Click Next.
- [ ] Enter a name for this new application. Add a logo if desired.
- [ ] Allow the following grant types → select Authorization Code and Implicit(Hybrid).
- [ ] Specify the following Login Redirect URI**:** https://auth.firstbasehq.com/oauth2/v1/authorize/callback
- [ ] Select Your Assignments preference for users and ‘Save’ your application.
- [ ] Once the app is saved and created, scroll down to ‘General Settings’ and ‘Edit’ your application.
- [ ] In General Settings, change ‘Login initiated by' to 'Either Okta or App’.
- [ ] Choose application visibility based on your preferences.
- [ ] Login flow - select 'Redirect to app to initiate login (OIDC Compliant)'
-
[ ] Initiate login URI - specify the following URI**:** 'https://app.firstbasehq.com/auth?idp=[specific idp number]'
Once these steps are completed, share the following information with your CSM to connect your application as an IdP:
Okta application details from above:
- [ ] Client ID
- [ ] Client secret
And the following URIs:
- [ ] issuer
- [ ] authorization endpoint
- [ ] token endpoint
- [ ] JWKS endpoint
- [ ] userinfo endpoint
These URIs can be obtained using https://{theOktaIdPOrg}/.well-known/openid-configuration
replacing {theOktaIdPOrg} with your Okta domain.
2. SAML SSO
The following steps must be taken to set up SSO using SAML SSO and Okta.
Steps to configure:
- [ ] Create a Web application by selecting in Okta: Applications > Create App Integration > Use 'SAML 2.0' as the sign-in method.
- [ ] Enter a name for this new application. Add a logo if desired and choose app visibility options as needed.
-
[ ] In the next step, configure a test application using the following values:
- Single sign-on URL : https://test.com
- Audience URI (SP Entity ID): https://test.com
-
Name ID Format: EmailAddress
-
[ ] Preview the SAML assertion generated to confirm the correct assertion details.
- Note: The assertion must be configured to an email address for SAML to work properly with Firstbase.
Example:
- [ ] Finish your SAML Integration.
- Now that you've created the application, click "SAML Setup Instructions."
-
The following screen will open up. Copy these four details and provide them to your CSM.
- Identity Provider Single Sign-On URL
- Identity Provider Issuer
- X.509 Certificate
- IDP metadata (Optional)
-
[ ] Once we receive this information, we'll generate two values for you to edit your SAML application and provide them to you via your CSM.
- Assertion Consumer Service URL
- Audience URI
- [ ] Once you have these values, go to your SAML Application's "General" tab, and click on "edit" your SAML Settings.
- [ ] Click "Next" and skip the General Settings Screen.
- [ ] Input the two values you received for the Single Sign-On URL (Assertion Consumer Service URL) using the Audience URI into each field.
- [ ] Save your SAML Application.
- [ ] You should be all set now! Let your CSM know so we can turn on SAML SSO together to ensure everything works well.
For any questions in regards to Okta SSO, please contact support@firstbase.com.