SSO Configuration: Okta

Integrating your company's Single Sign-On (SSO) solution with the World Manager platform offers a convenient and secure way for all employees to access the platform. By integrating with the popular identity provider (IdP) Okta for SSO, you can enable employees to authenticate into your World Manager platform using their existing company credentials. Follow these instructions to configure the integration with Okta.

Prerequisites

  • Admin access to Okta

Okta Configuration

Create an Application

1. Log into Okta: https://www.okta.com/login

2. Go to Applications → Applications

3. Click on the “Create App Integration” button

4. Select the “SAML 2.0” option, then click on the “Next” button

General Settings

1. Enter a (unique) name for the app, then click on the “Next” button

Tip: For the purposes of this article, we have used ‘WM Platform SSO’ as the name. However, we recommend using a name that is unique/specific to your World Manager platform.

SAML Settings

1. Complete the following details (below), then click on the “Save” button:

  • Single Sign On URL
    • In the text field, enter: https://<YourPlatformUrl>/login/saml/okta
  • Audience URI (SP Entity ID)
    • In the text field, enter: https://<YourPlatformUrl>/login/saml/metadata/okta
  • Name ID format
    • In the drop-down field, select the “Persistent” option
  • Application username
    • In the drop-down field, select the “Okta username” option

Attribute Statements

1. Action the following (below) to create attributes:

  • Email
    • In the ‘Name’ field, enter email
    • In the ‘Value’ drop-down, select the user.email option

Important: You can only use a valid email address as the identifier value.

  • First Name
    • Click on the “Add Another” button
    • In the ‘Name’ field, enter firstName
    • In the ‘Value’ drop-down, select the user.firstName option
  • Last Name
    • Click on the “Add Another” button
    • In the ‘Name’ field, enter lastName
    • In the ‘Value’ drop-down, select the user.lastName option

Once finished, you should be left with something like this:

Important: To ensure correct functionality, all attribute names must be entered exactly as specified.

Preview the SAML assertion

1. Click on the “Next" button

Feedback

1. In the ‘Are you a customer or partner?’ field, select the “I'm an Okta customer adding an internal app” option

2. In the ‘Contact app vendor’ field, select the “It's required to contact the vendor to enable SAML” option

3. Click on the “Finish” button

Sign On Settings

1. Click on the “View SAML setup instructions” button

2. Within the new tab that appears, action the following (below):

  • Copy the ‘Identity Provider Single Sign-On URL’ value
  • Copy the ‘Identity Provider Issuer’ value
  • Under the ‘X.509 Certificate’ field, click on the “Download certificate” button

Important: Keep this information handy, as it will be required in later steps.

Create User Attributes

1. Go to Directory → Profile Editor

2. In the ‘Users’ table, click on the profile name of the app you created (to edit)

3. Action the following (below) to create attributes:

  • Group UUIDs
    • Click on the “Add Attribute” button
    • In the ‘Data type’ drop-down, select the “string array” option
    • In the ‘Display name’ field, enter Group UUIDs
    • In the ‘Variable name’ field, enter groupUuids
    • In the ‘User permission’ field, select the “Hide” option
  • Country UUIDs
    • Click on the “Save and Add Another” button
    • In the ‘Data type’ drop-down, select the “string array” option
    • In the ‘Display name’ field, enter Country UUIDs
    • In the ‘Variable name’ field, enter countryUuids
    • In the ‘User permission’ field, select the “Hide” option
  • Area UUIDs
    • Click on the “Save and Add Another” button
    • In the ‘Data type’ drop-down, select the “string array” option
    • In the ‘Display name’ field, enter Area UUIDs
    • In the ‘Variable name’ field, enter areaUuids
    • In the ‘User permission’ field, select the “Hide” option
  • Store UUIDs
    • Click on the “Save and Add Another” button
    • In the ‘Data type’ drop-down, select the “string array” option
    • In the ‘Display name’ field, enter Store UUIDs
    • In the ‘Variable name’ field, enter storeUuids
    • In the ‘User permission’ field, select the “Hide” option
    • Click on the “Save” button

Once finished, you should be left with something like this:

Important: To ensure correct functionality, all attribute (aka variable) names must be entered exactly as specified.

Add User Attributes to App

1. Go (back) to Applications → Applications

2. Click on the name of the app you created (to edit)

3. Click on the ‘General’ tab, then under the ‘SAML Settings’ sectionm, click on the “Edit” link

4. In the ‘General’ section, click on the “Next” button

5. Action the following (below) to create (additional) attributes:

  • Group UUID
    • Click on the “Add Another” button
    • In the ‘Name’ field, enter groupUuids
    • In the ‘Value’ field, enter appuser.groupUuids
  • Country UUID
    • Click on the “Add Another” button
    • In the ‘Name’ field, enter countryUuids
    • In the ‘Value’ field, enter appuser.countryUuids
  • Area UUID
    • Click on the “Add Another” button
    • In the ‘Name’ field, enter areaUuids
    • In the ‘Value’ field, enter appuser.areaUuids
  • Store UUID
    • Click on the “Add Another” button
    • In the ‘Name’ field, enter storeUuids
    • In the ‘Value’ field, enter appuser.storeUuids

Once finished, you should be left with something like this:

6. Scroll down to the ‘Preview the SAML assertion’ section, then click on the “Next" button

7. In the ‘Feedback’ section, click on the “Finish” button

Assign UUID Values

1. Click on the ‘Assignments’ tab

2. Click on the ‘Assign’ drop-down, then select the “Assign to People” option

3. Click on the “Assign” link next to the user you wish to configure UUID data for

5. Action the following (below):

  • Group UUIDs
    • Click on the “Add Another” button
    • In the text field, enter a valid Group UUID value

Tip: Currently, it is not possible to obtain Group UUID data from within the platform. Please either contact our Support Team, or use our SOAP API.

  • Country UUIDs
    • Click on the “Add Another” button
    • In the text field, enter a valid Country UUID value
    • **Repeat if you wish to assign multiple UUID values
  • Area UUIDs
    • Click on the “Add Another” button
    • In the text field, enter a valid Area UUID value
    • **Repeat if you wish to assign multiple UUID values
  • Store UUIDs
    • Click on the “Add Another” button
    • In the text field, enter a valid Store UUID value
    • **Repeat if you wish to assign multiple UUID values

6. Click on the “Save and Go Back" button (to save)

7. Repeat steps 2 through 6 to assign UUID values for all applicable accounts

8. Click on the “Done” button (when finished)

Important: Not all attributes can be assigned multiple UUID values, as it is dependent on the role the user's account group belongs to. See table below that outlines the data allowed per role:

Role(s) Group UUIDs Country UUIDs Area UUIDs Store UUIDs
World Manager 1x      
National Manager (multi-country) 1x Multiple    
Area Manager (multi-area) 1x   Multiple  
General Manager, Store Manager, Employee (multi-store) 1x     Multiple

Tip: These attributes can also be assigned under the Directory → People area within Okta.

UUID Data Requirement

To successfully authenticate a user via SSO, there is a bare minimum requirement of UUID data that needs to be provided, which is dependent on the role the user's account group belongs to. See table below that outlines the data required per role:

Role(s) Group UUID Country UUID Area UUID Store UUID
World Manager      
National Manager    
Area Manager    
General Manager, Store Manager, Employee    

To elaborate on the above, if you were creating a ‘Store Manager’ account, you would only need to provide valid ‘Group UUID’ and ‘Store UUID’ values. The ‘Country UUID’ and ‘Area UUID’ values are not required.

World Manager Configuration

Contact Support

All SSO-related configuration on the World Manager end is handled by the Support Team and is not visible within the platform. So, whenever you are ready to enable this authentication method, please send an email to wmsupport@franconnect.com with the following details:

  • ‘Identity Provider Single Sign-On URL’ value
  • ‘Identity Provider Issuer’ value
  • X.509 Certificate file

Note: These values are from the 'Sign On Settings' section that you were previously instructed to download/copy.

Was this article helpful?
0 out of 0 found this helpful