What does the Okta integration do?
Okta is the foundation for secure connections between people and technology. Okta's IT products uniquely use identity information to grant people access to applications on any device at any time, while still enforcing strong security protections. Okta's Platform securely connects companies to their customers and partners. Today, thousands of organizations trust Okta to help them fulfill their missions as quickly as possible.
Okta supports the following enterprise identity management features for Litmos as an Okta Cloud Connect Technology Partner:
- Application visibility
- Application Auto-launch
- Browser Plugin to Auto-submit credentials
- Virtual Private Network imposition
- Secure Web-Authentication (SWA)
- SAML 2.0
- Sign On Policies
- Provisioning Features
- Profile Attributes & Mappings
- Groups and Push Groups
- Access Logs
Litmos offers SAML integration with Single Sign On using Okta as an IdP (Identity Provider). This integration will allow users of Okta to login directly to their Litmos learning accounts and automatically provision new users in the system. Through the use of active directory integration through Okta this will streamline the efforts needed to administer users in Litmos. The steps outlined below will allow for this integration.
Supported Features for the Integration
The Okta/Litmos SAML integration currently supports the following features:
- IdP-initiated SSO
- Just In Time (JIT) Provisioning
Add Litmos to Okta
Before your organization can begin using Litmos with Okta, an Okta Administrator will need to add the Litmos app to the Okta account. An Okta Administrator can perform this by navigating to the "Applications" tab, clicking on the "Add Application" button and then choosing to "add" the Litmos app to Okta:
Configure General Settings in Okta
Once Litmos has been added, the next step for the Okta Administrator will be to configure the "General Settings" for the Litmos app. This includes creating an application label, confirming the Litmos login URL, configuring the application's visibility and determining the use of the browser plugin:
The application label is what displays to end-users when viewing the app in Okta. The login URL is the destination for the user login, which can be a ".Litmos.com" domain or a custom domain. Check your Litmos account to verify the login URL.
The application visibility is what determines if end-users in Okta will be able to view the Litmos app on the Okta content tab, or add the app to their content tab.
SAML SSO Configuration
Sign into your Litmos account.
Click on the Account settings icon on the left side menu (or from the profile dropdown in horizontal theme), then select Integrations:
Select SAML 2.0 (Single Sign On):
Copy and paste the metadata file in the SAML Metadata field. This can be found in Okta under Sign On > View Setup Instructions
Important! Exclude the following first line of the metadata as Litmos gives an error if it is included in the metadata: <?xml version="1.0" encoding="UTF-8"?>.
Click Save changes:
Important Note: If your IDP doesn't support encrypted assertions, make sure "Verify assertion signatures and encryption" is unchecked or you will encounter an error.
Okta User Provisioning Configuration
Check the Enable API Integration box.
Enter your Litmos API Credentials:
- Base API URL: Automatically added.
- In the field titled 'Base API URL', populate: https://api.litmos.com
- Company: Enter your company name. This is used to identify you in Litmos. You can enter any value that identifies your organization in Litmos.
- API Key: Enter the API key you copied from Litmos (see Requirements above). Also, make sure that your AccessLevel is Administrator or Account Owner.
3. Click Test API Credentials. If your API credentials are valid, you will see a success message, as shown here:
4. Select To App in the left panel, then select the Provisioning Features you want to enable:
5. Click Save.
6. You can now assign people to the app, if needed (see below).
To assign users to the Litmos app, open the app, select the People tab and then click the Assign to People button:
In the Assign Litmos to People dialog, select a user, then click the Assign button:
You can select which access level grant to each user by selecting the corresponding value from the AccessLevel dropdown menu:
Click the Save and Go Back button.
Deep Linking into a Course or Learning Path from Okta
Here is the link for an article which will give you an overview of how you can use deeplinks for Okta integration:
Note: The user must be assigned directly or have the course or learning path added to the Course library to have access to it. If they do not have access to it, they will receive a "Invalid Access" error message.