This article explains the steps needed to implement SSO and/or User Provisioning through Okta. First we explain how to set up Okta in one single location, then we explain how to set it up if you use Proxyclick in many locations.

Requirements:

  • Plan Large and Enterprise
  • Admin access to Proxyclick (for every location)

Setting up Okta in 1 single location

Step 1: Add an application

Log into Okta. Go to Admin > Applications.

Pasted image at 2016_06_22 02_40 PM

Click on Add application.

okta-add-application-2

Search for Proxyclick and click on Add.

okta-add-application-3

Go to the Proxyclick Marketplace and install Okta.

Copy the Company ID from the Okta configuration page in Proxyclick and paste it in the Company Id on OneLogin.

You do not need to check the 2 boxes next to Application Visibility. Click on Next.

okta-add-application-4

Click on Next (we will activate user provisioning later).

okta-add-application-5

This step is optional. Click on Next.

okta-add-application-6

Click on Done.

 

Step 2: Configure single sign-on (SSO) based on SAML 2.0

Open the Proxyclick app in Admin > Applications and go to the Sign On tab.

okta-sso-1

Click on Edit.

okta-sso-2

Select Email for Application username format and click on Save.

Click on View Setup Instructions.

Pasted image at 2016_06_22 03_00 PM

Copy the IDP Issuer/Entity ID, the Login URL/SignOn URL and the x.509 Certificate.

Paste the information copied from Okta in the Okta configuration page in Proxyclick.

Paste the 3 values copied from Okta and click on Save changes.

 

Step 3: Configure user provisioning

Open the Proxyclick app in Admin > Applications and go to the Provisioning tab.

okta-user-provisioning-1

Click on Enable Provisioning.

okta-user-provisioning-2

Check the box Enable provisioning features.

okta-user-provisioning-3

If you didn’t do it already, go to the Proxyclick Marketplace and install Okta.

Then go to the Okta configuration page in Proxyclick and copy the Base URL and the API Token to paste them in Okta.

Scroll down to enable provisioning feature(s) you want to use.

Feature User Import

okta-user-provisioning-5

Select your preferred period in the Schedule import list if you want to activate the user import. Leave the other parameter to their default.

Feature Create Users

okta-user-provisioning-6

Check the box Enable to activate the creation of the user in Proxyclick when the user is assigned to the Proxyclick app.

Feature Update User Attributes

okta-user-provisioning-7

Check the box Enable to update the user profile in Proxyclick when the user info is updated in Okta.

Feature Deactivate Users

okta-user-provisioning-8

Check the box Enable to delete the user in Proxyclick when the user is unassigned from the Proxyclick app or when the user is deactivated in Okta.

Click on Save.

 

Setting up Okta in many locations

User Provisioning

If you use Proxyclick across multiple locations, you’ll need to follow the steps 1 and 3 described above for every location (1 Proxyclick location = 1 Okta app).

SSO

Regarding Single Sign-On, you have 2 options:

Option 1 is to set up SSO for every location (follow Step 2 described above for every location). Users with access to x locations will then see x Proxyclick icons (1 per location).

Option 2 is to set up only 1 SSO link that works for every user. All users see only one Proxyclick icon that leads every user to her home location (can be different per user). Here are the steps to follow in order to set up option 2

  • On all applications you created in Okta for User Provisioning, please check the option “Do not display application icon to users”

okta-add-application-3

  • Create one additional application in Okta and activate SSO (Steps 1 and 2 above). This application should not correspond to any physical office but only exists to manage SSO at the global level. Do NOT provision users in this application. For this application please leave “Do not display application icon to users” unchecked.
  • Send the following 3 elements to support@proxyclick.com: IDP Issuer/Entity ID, the Login URL/SignOn URL and the x.509 Certificate
  • We will then create a so-called “landing location”: a Proxyclick location with the SSO certificate you just sent but without users. Once set up, your users only see one Proxyclick icon leading to the landing location. They will then be immediately routed to their home location. From a user perspective, they will immediately land into their real home location (they do not notice they first log in the landing location)

Please let us know if you have any questions. We’re here to help!

FacebookGoogle+EmailTwitterLinkedIn