Connect Admin - SSO-with SAML Protocol using OKTA

What?

Setting up single sign-on for Connect users.

Who?

Company IT person will need to fill out settings which will largely come from their OKTA SSO SAML.

How?

Before you get started

• Log into Connect at https://connect.calltower.com/connect
• Log into your admin.okta.com account. Your url will be unique to your organization.

 Enabling SAML

Enable SAML SSO in Connect under Customers/Manage Services/Single Sign-On/SAML SSO and Save. Wait for your event to complete. This will not lock out any users from signing in using MFA.

See below:

SAML is now enabled so that you can fill out the SAML settings.

 Filling out Customer SAML Settings

You will be creating a new SAML Integration inside of Okta and then enter the settings from that setup inside of Connect.  Go to the SAML Settings page inside of Connect by navigating to Menu/Administration/Corporate Administration/SAML. See below:

First, click on the button: ‘SP Metadata Download’ and open the file. It will open in a browser and look like below. We will need this file for the next step, but you can close this browser tab.

Now inside of Okta, click on Applications/Applications and then click the ‘Create App Integration’ button.

Click SAML 2.0 and then Next:

Enter an App name and click Next:

Open the SP Metadata file that you downloaded from the Connect SAML screen above. Copy the highlighted text in the screenshot below. It is listed on the last line in the metadata file as ‘Location =’. Paste this text into the Single sign-on URL field in OKTA.

Copy the highlighted text in the screenshot below. It is listed near the top of the screen where it lists ‘entityID=’. Paste this text into the ‘Audience URI (SP Entity ID)’ field in OKTA.

Set the ‘Name ID format’ dropdown in OKTA to ‘Persistent’.

Click to expand ‘Show Advanced Settings’ to view additional options.

Set the ‘Assertion Encryption’ dropdown to ‘Encrypted’

Inside of Connect, click on the button ‘Download Connect Public Certificate’. Once downloaded, go back to OKTA and click on ‘Browse files’ next to ‘Encryption Certificate’ and find and select the Connect Public Certificate file.

Once the certificate is loaded, scroll to the bottom of the screen in OKTA and click Next and then click Finish.

Now we need to add the OKTA metadata url file into Connect, but first we need open and edit the file and upload it into Connect with the changes. 

After clicking Finish above, you should be in the ‘Sign On’ tab. Scroll down until you see the ‘Metadetails’ section. Click on ‘Copy’ next to ‘Metadata URL’.

Open a new browser tab to paste the copied url in and hit Enter to go to the url. The xml data will appear in your new browser tab.

Right-click anywhere in this new tab and click Save-As to save as OktaMetadata and Save.

Once saved, find the file and open with Notepad to make the changes.

Delete the highlighted ‘NameIDFormat:persisitent’ tag from the file like below and save the file:

Back inside Connect, click ‘Upload IDP Metadata File’. Find and select the OktaMetadata xml file. Once done, click on the ‘Upload IDP Metadata File’ button a 2^nd time and you will get a pop up saying it uploaded successfully.

Now we need to assign the application for testing. In Okta, go to Directory/People and click on the username’s hyperlink of the user you want to set up under ‘Person & Username’:

Click ‘Assign Applications’

Click ‘Assign’ next to the Application you just created.

If your username is not set to your Connect login username, you must edit it now. Then click ‘Save and Go Back’. Then click ‘Done’.

Everything is set and you can now try logging into your Connect account using OKTA SAML SSO.

Open up a new private tab in your browser to ensure there is no saved data in your Connect login screen. Go to https://connect.calltower.com/connect, enter in your Connect username to the username field and click on the ‘Single Sign On’ button.

You should then see the OKTA login screen where you can log in withyour OKTA login information.

Once you have successfully logged in, you should be redirected to be logged into your account in Connect.

Additional Definitions

Name ID Format:

• Unspecified: This setting will look at company’s id fields during sign-in communication and attempt to map to the usernames in Connect.  
• Email Address: This setting will look at company’s email id fields during sign-in communication and attempt to map to the usernames in Connect. 
• Persistent: Additional setup required under Menu/Users. Select a user and navigate to User Settings/User SAML. Set the identifier from the SSO Provider and check the ‘Disable Password Login’ box and save.

User SAML settings

• Identifier- If needed, you can enter in the identifier that you would like to use rather than the Connect username. 
• Disable Password Login – When enabling SSO for a customer, it will default all users to disable their password logins.  All new users will also be created without the ability to login to Connect with their passwords.  If you have a user that is required to log in with a password, you can uncheck the specified box.  Otherwise, when they attempt to login, it will inform them to login with SSO.

 

Troubleshooting

If you get a 404 Not found error when trying to log in, double check that the ‘Single Sign-On’ and the ‘Recipient URL’ fields in OKTA start with ‘https://’ and not just ‘http://’. These fields are under Application/Application/General: