Search

Okta Single Sign-On (SSO) Integration Guide

Gretchen
Gretchen
  • Updated

This guide explains how to set up Okta Single Sign-On (SSO) so your users can access Emtrain with their existing login credentials, rather than a separate login process.

Requirements

To integrate Emtrain with Okta SSO, you must have the following requirements:

  1. An active Emtrain account.
  2. An active Okta account.
  3. A unique email address for every user.
  4. A valid email address for all users in Okta.
  5. The API key for your account. Obtain your API key by navigating to Site Config from the Manage Menu. Select the Integrations tab and then the option to Enable SSO.

Each user’s email address in Emtrain must match their primary email address in Okta.

Once you save the integration, username and password authentication will be disabled on your Emtrain account. This means that when you or your team members go to access your Emtrain account, you'll be redirected to complete the SSO authentication process instead of entering a username and password.

This change happens immediately after you complete the integration setup, so make sure your team is prepared for the new login process.

How the Integration Works

When a user signs into their Emtrain account via Okta SSO, the following chain of events occur:

  1. The user accesses the “App Embed URL,” an Okta URL. The user can access this link in one of two ways:
    • By selecting the Emtrain tile in their Okta user portal.
    • When the user goes to their account’s home page on Emtrain, they are automatically re-directed to the App Embed URL and sent through the SAML authentication process.
  2. Okta then checks if the user has an active, valid Okta session. If they do not, they are prompted to log into their Okta account. Once the user has an active session, Okta sends a request containing authentication and user information (the “SAML Assertion”) to Emtrain.
  3. Emtrain validates the following items when the SAML Assertion is received from Okta:
    1. API key/Account ID
    2. Okta X.509 Certificate
    3. User Email
      • If the user email on the SAML assertion corresponds to a user on your Emtrain account, the user is logged in.
      • If the user email on the SAML assertion does not correspond to a user on your Emtrain AI account, an error message is displayed.
      • Optionally, you can request your Emtrain account be enabled for Self-Signup which allows for a user to be created on your Emtrain account with the First Name, Last Name and Email Address from the SAML assertion.

Configuration and Setup

Before getting started, obtain:

  1. Your Emtrain account's subdomain. Find this by navigating to Site Config via the Manage menu. It is also the first part of the address you use to visit Emtrain, the bolded section in this example: https://yourcompany.app.emtrain.com/home.
    Okta1.png
  2. The API key for your Emtrain account (obtain this by navigating to the Site Config area of the Manage menu and choose the Integrations tab, then Enable SSO).
    Okta2.png

Once you have those two items, you can create the Okta portion of the SSO application.

Setup in Okta

  1. Log into Okta admin area. (Note: If you’re in “developer console” area, please switch over to the “Classic UI” section).
  2. Select the Applications link, select Applications from the menu, then select the Add Application button. Select the Create New App button.
    Okta3.pngOkta4.png
  3. In the Create a New Application Integration dialog, use the default selection of “Web” for Platform, and select SAML 2.0 as the Sign on method. Select the Create button.
    Okta5.png
  4. On the General Settings dialog, enter Emtrain as the App Name and upload an Emtrain logo. Select the Next button.
    Okta6.png
  5. On the Configure SAML dialog, enter the following values in the General section of A. SAML Settings. For any Emtrain URL listed here, replace the "example" portion of the URL with your account's subdomain. When inserting your API key, do not wrap the key in brackets.
    • Single sign on URL: https://yourcompany.ai-api.emtrain.com/authentication/saml?key=[account API key]
    • Leave “Use this for Recipient URL and Destination URL” checked.
    • Audience URI (SP Entity ID) Use the Single Sign On URL here: https://yourcompany.ai-api.emtrain.com/authentication/saml?key=[account API key]
    • Default Relay State: https://yourcompany.app.emtrain.com/saml
    • Name ID Format: Use the default value of Unspecified.
    • Application Username: Email.
    • Update application username on: Use the default value of Create and Update.
      Okta7.png
  6. On the Configure SAML dialog, enter the following values in the Attributes Statement section of A. SAML Settings.
    • Add a new attribute, API_KEY:
      Name: API_KEY
      Format: Basic
      Value: Your Emtrain account’s API key
    • Add a new attribute, Email:
      Name: Email
      Format: Basic
      Value: user.email (select the user.email value in the dropdown menu)
    • Add a new attribute, FirstName:
      Name: FirstName
      Format: Basic
      Value: user.firstName (select the user.firstName value in the dropdown menu)
    • Add a new attribute, LastName:
      Name: LastName
      Format: Basic
      Value: user.lastName (select the user.lastName value in the dropdown menu)
      Okta8.png
  7. In section B, Preview the SAML assertion generated from the information above, select the <> Preview SAML Assertion button, and verify that the SAML Assertion XML contains the SSO URL (in the Recipient element), and the attributes you created in Step 6.
    Okta9.png
  8. When you have finished validating the SAML Assertion XML, select the Next button.
    Okta10.png
  9. Select the “I'm an Okta customer adding an internal app” option and select the Finish button
    Okta11.png
  10. In the Emtrain application page, select on the Sign On link, and select the View Setup Instructions button.
    Okta12.png
  11. On the How to Configure Saml 2.0 for Emtrain Application page, copy the Identity Provider Single Sign-On URL and copy or download the X.509 Certificate. You will need to populate these values into your Emtrain account to complete the setup and configuration of the SSO integration.
    Okta13.png

This completes the configuration of the Okta portion of the integration.

Setup in Emtrain

To complete the integration:

  1. Navigate to the Integration tab under Site Config.
  2. Select Enable SSO then choose Okta SSO under the Provider dropdown.
    Okta14.png

  3. Add the X.509 Certificate and SSO Entry Point to the following boxes, then select Save.
    Okta15.png

    Include only the certificate values. Do not include the “Begin” and “End” content: 
    ---BEGIN CERTIFICATE--- and ---END CERTIFICATE---

  4. Optionally, if you wish to redirect your users to a specific URL when they log out of Emtrain, enter that URL in the SSO Logout Redirect URL text field. If this field is left blank, users will be redirected to an Emtrain Logged Out page upon logging out.

We offer Just-in-Time (JIT) provisioning, which works with SSO. This enables automatic user profile creation the first time a user logs into Emtrain via SSO. Learn about Just-in-Time Provisioning with SSO.

Validating the Setup

Once both sides of the integration are set up, testers at the client’s organization can validate that the integration functions properly. Verify that the user is logged into Emtrain if the user exists in both Okta and Emtrain (email address must be the same on both platforms).

  1. When the test user logs into the Okta portal, they should select the Emtrain tile. The user should see a “Signing into Emtrain” page, and then their Emtrain learner portal. Their name should be displayed in the upper left corner (for desktop users) or in the Update Profile section (for tablet/mobile users).
  2. When the test user logs into Okta, in a new browser tab without an active Okta session, they open the account’s Home URL: https://yourcompany.app.emtrain.com/home. The user should be re-directed to an Okta login page, on Okta’s domain. Upon a successful login with the user’s Okta credentials, the user should be redirected to their Emtrain home portal.

How Users Log into Emtrain

Be sure to assign the Emtrain app to all users via Okta. We recommend working with your IT team to assign access just before you deploy training (for example, fewer than 12 hours prior) to prevent users from exploring Emtrain too soon.

As long as users are signed into your SSO, they can access Emtrain:

  • Through the Emtrain tile in your Single Sign-On access panel.
  • Via links in notification emails.
  • From your account URL.

If a user isn’t yet signed into SSO, they’ll be redirected to your SSO login.

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request