Skip to main content
CallTower Solutions Center

Connect Admin - SSO-with SAML Protocol using OKTA

What?

Setting up single sign-on for Connect users.

Who?

Company IT person will need to fill out settings which will largely come from their OKTA SSO SAML.

How?

Before you get started

 Enabling SAML

Enable SAML SSO in Connect under Customers/Manage Services/Single Sign-On/SAML SSO and Save. Wait for your event to complete. This will not lock out any users from signing in using MFA.

See below:

A screenshot of a customer service

AI-generated content may be incorrect.

SAML is now enabled so that you can fill out the SAML settings.

 Filling out Customer SAML Settings

You will be creating a new SAML Integration inside of Okta and then enter the settings from that setup inside of Connect.  Go to the SAML Settings page inside of Connect by navigating to Menu/Administration/Corporate Administration/SAML. See below:

A screenshot of a computer

Description automatically generated

First, click on the button: ‘SP Metadata Download’ and open the file. It will open in a browser and look like below. We will need this file for the next step, but you can close this browser tab.

A close up of a screen

AI-generated content may be incorrect.

Now inside of Okta, click on Applications/Applications and then click the ‘Create App Integration’ button.

A screenshot of a web page

AI-generated content may be incorrect.

Click SAML 2.0 and then Next:

A screenshot of a computer

AI-generated content may be incorrect.

Enter an App name and click Next:

A screenshot of a computer

AI-generated content may be incorrect.

Open the SP Metadata file that you downloaded from the Connect SAML screen above. Copy the highlighted text in the screenshot below. It is listed on the last line in the metadata file as ‘Location =’. Paste this text into the Single sign-on URL field in OKTA.

A close up of a screen

AI-generated content may be incorrect.

A screenshot of a computer

AI-generated content may be incorrect.

Copy the highlighted text in the screenshot below. It is listed near the top of the screen where it lists ‘entityID=’. Paste this text into the ‘Audience URI (SP Entity ID)’ field in OKTA.

A screenshot of a computer

AI-generated content may be incorrect.

A screenshot of a computer

AI-generated content may be incorrect.

Set the ‘Name ID format’ dropdown in OKTA to ‘Persistent’.

A screenshot of a computer

AI-generated content may be incorrect.

Click to expand ‘Show Advanced Settings’ to view additional options.

A screenshot of a computer

AI-generated content may be incorrect.

Set the ‘Assertion Encryption’ dropdown to ‘Encrypted’

Inside of Connect, click on the button ‘Download Connect Public Certificate’. Once downloaded, go back to OKTA and click on ‘Browse files’ next to ‘Encryption Certificate’ and find and select the Connect Public Certificate file.

A screenshot of a computer

AI-generated content may be incorrect.

A screenshot of a computer

AI-generated content may be incorrect.

Once the certificate is loaded, scroll to the bottom of the screen in OKTA and click Next and then click Finish.

A screenshot of a computer

AI-generated content may be incorrect.

A screenshot of a computer

AI-generated content may be incorrect.

Now we need to add the OKTA metadata url file into Connect, but first we need open and edit the file and upload it into Connect with the changes. 

After clicking Finish above, you should be in the ‘Sign On’ tab. Scroll down until you see the ‘Metadetails’ section. Click on ‘Copy’ next to ‘Metadata URL’.

Open a new browser tab to paste the copied url in and hit Enter to go to the url. The xml data will appear in your new browser tab.

A close-up of text

AI-generated content may be incorrect.

Right-click anywhere in this new tab and click Save-As to save as OktaMetadata and Save.

A screenshot of a computer

AI-generated content may be incorrect.

Once saved, find the file and open with Notepad to make the changes.

Delete the highlighted ‘NameIDFormat:persisitent’ tag from the file like below and save the file:

A screen shot of a computer

AI-generated content may be incorrect.

Back inside Connect, click ‘Upload IDP Metadata File’. Find and select the OktaMetadata xml file. Once done, click on the ‘Upload IDP Metadata File’ button a 2nd time and you will get a pop up saying it uploaded successfully.

A screenshot of a computer

AI-generated content may be incorrect.

A black text on a white background

AI-generated content may be incorrect.

Now we need to assign the application for testing. In Okta, go to Directory/People and click on the username’s hyperlink of the user you want to set up under ‘Person & Username’:

A screenshot of a computer

AI-generated content may be incorrect.

Click ‘Assign Applications’

A screenshot of a computer

AI-generated content may be incorrect.

Click ‘Assign’ next to the Application you just created.

A screenshot of a test

AI-generated content may be incorrect.

If your username is not set to your Connect login username, you must edit it now. Then click ‘Save and Go Back’. Then click ‘Done’.

A screenshot of a computer

AI-generated content may be incorrect.

Everything is set and you can now try logging into your Connect account using OKTA SAML SSO.

Open up a new private tab in your browser to ensure there is no saved data in your Connect login screen. Go to https://connect.calltower.com/connect, enter in your Connect username to the username field and click on the ‘Single Sign On’ button.

A screenshot of a login page

AI-generated content may be incorrect.

You should then see the OKTA login screen where you can log in withyour OKTA login information.

A screenshot of a login form

AI-generated content may be incorrect.

Once you have successfully logged in, you should be redirected to be logged into your account in Connect.

Additional Definitions

Name ID Format:

  • Unspecified: This setting will look at company’s id fields during sign-in communication and attempt to map to the usernames in Connect.  
  • Email Address: This setting will look at company’s email id fields during sign-in communication and attempt to map to the usernames in Connect. 
  • Persistent: Additional setup required under Menu/Users. Select a user and navigate to User Settings/User SAML. Set the identifier from the SSO Provider and check the ‘Disable Password Login’ box and save.

User SAML settings

  • Identifier- If needed, you can enter in the identifier that you would like to use rather than the Connect username. 
  • Disable Password Login – When enabling SSO for a customer, it will default all users to disable their password logins.  All new users will also be created without the ability to login to Connect with their passwords.  If you have a user that is required to log in with a password, you can uncheck the specified box.  Otherwise, when they attempt to login, it will inform them to login with SSO.

 A screenshot of a computer

Description automatically generated

Troubleshooting

If you get a 404 Not found error when trying to log in, double check that the ‘Single Sign-On’ and the ‘Recipient URL’ fields in OKTA start with ‘https://’ and not just ‘http://’. These fields are under Application/Application/General:

 

  • Was this article helpful?