Integrating your company's Single Sign-On (SSO) solution with the World Manager platform offers a convenient and secure way for all employees to access the platform. By integrating with the popular identity provider (IdP) Okta for SSO, you can enable employees to authenticate into your World Manager platform using their existing company credentials. Follow these instructions to configure the integration with Okta.
Prerequisites
- Admin access to Okta
Okta Configuration
Create an Application
1. Log into Okta: https://www.okta.com/login
2. Go to Applications → Applications
3. Click on the “Create App Integration” button
4. Select the “SAML 2.0” option, then click on the “Next” button
General Settings
1. Enter a (unique) name for the app, then click on the “Next” button
Tip: For the purposes of this article, we have used ‘WM Platform SSO’ as the name. However, we recommend using a name that is unique/specific to your World Manager platform.
SAML Settings
1. Complete the following details (below), then click on the “Save” button:
-
Single Sign On URL
- In the text field, enter:
https://<YourPlatformUrl>/login/saml/okta
- In the text field, enter:
-
Audience URI (SP Entity ID)
- In the text field, enter:
https://<YourPlatformUrl>/login/saml/metadata/okta
- In the text field, enter:
-
Name ID format
- In the drop-down field, select the “Persistent” option
-
Application username
- In the drop-down field, select the “Okta username” option
Attribute Statements
1. Action the following (below) to create attributes:
-
Email
- In the ‘Name’ field, enter
email
- In the ‘Value’ drop-down, select the
user.email
option
- In the ‘Name’ field, enter
Important: You can only use a valid email address as the identifier value.
-
First Name
- Click on the “Add Another” button
- In the ‘Name’ field, enter
firstName
- In the ‘Value’ drop-down, select the
user.firstName
option
-
Last Name
- Click on the “Add Another” button
- In the ‘Name’ field, enter
lastName
- In the ‘Value’ drop-down, select the
user.lastName
option
Once finished, you should be left with something like this:
Important: To ensure correct functionality, all attribute names must be entered exactly as specified.
Preview the SAML assertion
1. Click on the “Next" button
Feedback
1. In the ‘Are you a customer or partner?’ field, select the “I'm an Okta customer adding an internal app” option
2. In the ‘Contact app vendor’ field, select the “It's required to contact the vendor to enable SAML” option
3. Click on the “Finish” button
Sign On Settings
1. Click on the “View SAML setup instructions” button
2. Within the new tab that appears, action the following (below):
- Copy the ‘Identity Provider Single Sign-On URL’ value
- Copy the ‘Identity Provider Issuer’ value
- Under the ‘X.509 Certificate’ field, click on the “Download certificate” button
Important: Keep this information handy, as it will be required in later steps.
Create User Attributes
1. Go to Directory → Profile Editor
2. In the ‘Users’ table, click on the profile name of the app you created (to edit)
3. Action the following (below) to create attributes:
-
Group UUIDs
- Click on the “Add Attribute” button
- In the ‘Data type’ drop-down, select the “string array” option
- In the ‘Display name’ field, enter
Group UUIDs
- In the ‘Variable name’ field, enter
groupUuids
- In the ‘User permission’ field, select the “Hide” option
-
Country UUIDs
- Click on the “Save and Add Another” button
- In the ‘Data type’ drop-down, select the “string array” option
- In the ‘Display name’ field, enter
Country UUIDs
- In the ‘Variable name’ field, enter
countryUuids
- In the ‘User permission’ field, select the “Hide” option
-
Area UUIDs
- Click on the “Save and Add Another” button
- In the ‘Data type’ drop-down, select the “string array” option
- In the ‘Display name’ field, enter
Area UUIDs
- In the ‘Variable name’ field, enter
areaUuids
- In the ‘User permission’ field, select the “Hide” option
-
Store UUIDs
- Click on the “Save and Add Another” button
- In the ‘Data type’ drop-down, select the “string array” option
- In the ‘Display name’ field, enter
Store UUIDs
- In the ‘Variable name’ field, enter
storeUuids
- In the ‘User permission’ field, select the “Hide” option
- Click on the “Save” button
Once finished, you should be left with something like this:
Important: To ensure correct functionality, all attribute (aka variable) names must be entered exactly as specified.
Add User Attributes to App
1. Go (back) to Applications → Applications
2. Click on the name of the app you created (to edit)
3. Click on the ‘General’ tab, then under the ‘SAML Settings’ sectionm, click on the “Edit” link
4. In the ‘General’ section, click on the “Next” button
5. Action the following (below) to create (additional) attributes:
-
Group UUID
- Click on the “Add Another” button
- In the ‘Name’ field, enter
groupUuids
- In the ‘Value’ field, enter
appuser.groupUuids
-
Country UUID
- Click on the “Add Another” button
- In the ‘Name’ field, enter
countryUuids
- In the ‘Value’ field, enter
appuser.countryUuids
-
Area UUID
- Click on the “Add Another” button
- In the ‘Name’ field, enter
areaUuids
- In the ‘Value’ field, enter
appuser.areaUuids
-
Store UUID
- Click on the “Add Another” button
- In the ‘Name’ field, enter
storeUuids
- In the ‘Value’ field, enter
appuser.storeUuids
Once finished, you should be left with something like this:
6. Scroll down to the ‘Preview the SAML assertion’ section, then click on the “Next" button
7. In the ‘Feedback’ section, click on the “Finish” button
Assign UUID Values
1. Click on the ‘Assignments’ tab
2. Click on the ‘Assign’ drop-down, then select the “Assign to People” option
3. Click on the “Assign” link next to the user you wish to configure UUID data for
5. Action the following (below):
-
Group UUIDs
- Click on the “Add Another” button
- In the text field, enter a valid Group UUID value
Tip: Currently, it is not possible to obtain Group UUID data from within the platform. Please either contact our Support Team, or use our SOAP API.
-
Country UUIDs
- Click on the “Add Another” button
- In the text field, enter a valid Country UUID value
- **Repeat if you wish to assign multiple UUID values
-
Area UUIDs
- Click on the “Add Another” button
- In the text field, enter a valid Area UUID value
- **Repeat if you wish to assign multiple UUID values
-
Store UUIDs
- Click on the “Add Another” button
- In the text field, enter a valid Store UUID value
- **Repeat if you wish to assign multiple UUID values
6. Click on the “Save and Go Back" button (to save)
7. Repeat steps 2 through 6 to assign UUID values for all applicable accounts
8. Click on the “Done” button (when finished)
Important: Not all attributes can be assigned multiple UUID values, as it is dependent on the role the user's account group belongs to. See table below that outlines the data allowed per role:
Role(s) | Group UUIDs | Country UUIDs | Area UUIDs | Store UUIDs |
---|---|---|---|---|
World Manager | 1x | |||
National Manager (multi-country) | 1x | Multiple | ||
Area Manager (multi-area) | 1x | Multiple | ||
General Manager, Store Manager, Employee (multi-store) | 1x | Multiple |
Tip: These attributes can also be assigned under the Directory → People area within Okta.
UUID Data Requirement
To successfully authenticate a user via SSO, there is a bare minimum requirement of UUID data that needs to be provided, which is dependent on the role the user's account group belongs to. See table below that outlines the data required per role:
Role(s) | Group UUID | Country UUID | Area UUID | Store UUID |
---|---|---|---|---|
World Manager | ✅ | |||
National Manager | ✅ | ✅ | ||
Area Manager | ✅ | ✅ | ||
General Manager, Store Manager, Employee | ✅ | ✅ |
To elaborate on the above, if you were creating a ‘Store Manager’ account, you would only need to provide valid ‘Group UUID’ and ‘Store UUID’ values. The ‘Country UUID’ and ‘Area UUID’ values are not required.
World Manager Configuration
Contact Support
All SSO-related configuration on the World Manager end is handled by the Support Team and is not visible within the platform. So, whenever you are ready to enable this authentication method, please send an email to wmsupport@franconnect.com with the following details:
- ‘Identity Provider Single Sign-On URL’ value
- ‘Identity Provider Issuer’ value
- X.509 Certificate file
Note: These values are from the 'Sign On Settings' section that you were previously instructed to download/copy.