Okta support for SSO with ClientSuccess
ClientSuccess supports Okta as an Identity Provider (IdP) through the Open ID Connect (OIDC) protocol. Each client using Okta as their IdP requires specific configuration. Please follow the steps below to begin the implementation of Okta SSO.
Special Notes
- If you are interested in enabling SSO with your IdP, please contact your CSM who will submit a support ticket on your behalf and copy you to provide you the registration ID.
- New user seat creation is not supported. Users must exist or be created within ClientSuccess which will then allow them to be authenticated via the IdP.
- Only your ClientSuccess administrator will be able to access and configure SSO for your account.
- SSO is a ClientSuccess optional feature. It is not included in the standard platform license.
ClientSuccess Setup
During the implementation, your ClientSuccess CSM or Support Rep will activate the SSO feature for you and provide the configuration details that you will need to support setup within Okta.
Okta Setup
Prerequisites
- Registration ID from ClientSuccess - Notify your CSM at ClientSuccess to get that from support.
- You will need the SSO callback and authorization URL specific to your account.
- This configuration will need to be completed by an Okta administrator.
Add an OpenID Connect Client (Okta Administration Required)
1) Log into the Okta Administration Dashboard.
2) Click Applications then Add Application.
3) Choose Web as the platform then populate the OpenID Connect application settings:
Setting
|
Value
|
Description
|
---|---|---|
Application Name | ClientSuccess | |
Base URI's | https://app.clientsuccess.com | |
Login Redirect URIs | https://app.clientsuccess.com/login/oauth2/callback/<registrationId> | Replace the registration ID with the ID provided to you in the initial stage of implementation. |
Grant Types Allowed | Authorization Code |
4) Click Done
5) You can download and add this ClientSuccess logo for the newly created application by selecting the edit icon next to the gear logo and uploading the logo.
6) After you have created the application there are three values that you will need to gather and provide to the ClientSuccess team to finish configuration within the ClientSuccess system.
Setting
|
Where to Find
|
---|---|
Client ID | In the applications list, or on the "General" tab of a specific application. |
Client Secret | On the "General" tab of a specific application. |
Org URL | On the home screen of the dashboard, in the upper right. |
Note: The Client Secret must be kept confidential and only used for the ClientSuccess system.
Advanced Configuration
If you would like users to be able to add the ClientSuccess app that was just created to their Okta dashboard and initiate login directly from within Okta please make the following setting adjustments from the General Settings screen of the application.
Setting
|
Value
|
Description
|
---|---|---|
Allowed Grant Types | Authorization Code and Implicit (Hybrid) | |
Login Initiated By | Either Okta or App | |
Login Flow | Redirect to app to initiate login (OIDC Compliant) | |
Initiate Login URI | https://app.clientsuccess.com/login/oauth2/authorize/<registrationId> | Replace the registration ID with the ID/URI provided to you. |
Testing
After completing the Okta setup provide the Client ID, Client Secret, and Org URL to your CSM. They will complete the configuration within the ClientSuccess system.
Once the configuration is complete it's time to test.
- Open a browser
- Paste the https://app.clientsuccess.com/login/oauth2/authorize/<registrationId> URI into the browser having replaced the <registrationId> with the ID provided to you.
- The browser should redirect to Okta, prompt for login (if not already logged in), and then redirect to ClientSuccess.
After a successful test, your ClientSuccess account can be configured to use the SSO IdP. Users can optionally use the IdP or be forced. If forced SSO is enabled non-admins will no longer be able to login to ClientSuccess directly with a username and password.
Comments
0 comments
Article is closed for comments.