Okta Workforce
Configure Single Sign-On (SSO) with Okta Workforce Identity to enable seamless authentication for your ept AI users using their existing Okta credentials.
Back to Integrations Overview
Overview
The Okta Workforce SSO integration enables your ept AI users to:
- Sign in using their existing Okta Workforce Identity credentials
- Access ept AI without creating separate accounts
- Benefit from centralized identity management and security policies
- Use multi-factor authentication (MFA) configured in Okta
This integration supports SAML 2.0 authentication and follows enterprise security best practices for identity federation.
Prerequisites
Before setting up the Okta Workforce SSO integration, ensure you have:
- Okta Workforce Identity: Active Okta Workforce Identity subscription
- Admin Access: Okta administrator access to configure applications
- ept AI Setup: Your ept AI instance configured and ready
- Domain Control: Ability to configure DNS records for your domain
Setup Instructions
Step 1: Configure Application in Okta
-
Create New Application:
- Log into your Okta admin console
- Navigate to Applications > Applications
- Click "Create App Integration"
- Select "SAML 2.0" as the sign-in method
- Click "Next"
-
Configure Application Settings:
- App name: "ept AI"
- App logo: Upload ept AI logo (optional)
- App visibility: Choose appropriate visibility settings
- Click "Next"
-
Configure SAML Settings:
- Single sign on URL:
https://your-ept-ai-domain.com/saml/acs - Audience URI (SP Entity ID):
https://your-ept-ai-domain.com/saml/metadata - Default RelayState: Leave blank or set as needed
- Name ID format:
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress - Application username:
email - Update application username on:
Create and update
- Single sign on URL:
-
Attribute Statements: Add the following attribute mappings:
email -> user.email
firstName -> user.firstName
lastName -> user.lastName
groups -> user.groups -
Group Attribute Statements (Optional):
groups -> user.groups
Step 2: Configure ept AI for Okta SSO
-
Access SSO Settings:
- Log into your ept AI admin dashboard
- Navigate to Configuration > Users > SSO Settings
- Click "Configure SSO"
- Select "Okta Workforce" as the SSO provider
-
Configure SAML Settings:
SSO Provider: Okta Workforce
Entity ID: https://your-ept-ai-domain.com/saml/metadata
ACS URL: https://your-ept-ai-domain.com/saml/acs
Signing Certificate: [Upload from Okta] -
Attribute Mapping: Configure how Okta attributes map to ept AI user properties:
{
"attribute_mapping": {
"email": "user.email",
"first_name": "user.firstName",
"last_name": "user.lastName",
"groups": "user.groups"
}
}
Step 3: Test and Activate SSO
-
Test Configuration:
- Use Okta's built-in SAML testing tools
- Verify attribute mapping and user provisioning
- Test sign-in flow from Okta to ept AI
-
Activate Integration:
- Enable SSO in ept AI admin settings
- Configure fallback authentication options
- Set up user provisioning rules
Configuration Options
Authentication Settings
- SAML 2.0: Full SAML 2.0 protocol support
- Force Authentication: Require re-authentication for sensitive operations
- Session Management: Configure session timeouts and renewal
- Logout: Configure single logout (SLO) behavior
User Provisioning
- Just-in-Time (JIT): Automatically create users on first sign-in
- Attribute Mapping: Map Okta attributes to ept AI user properties
- Group Synchronization: Sync Okta groups to ept AI roles
- User Updates: Automatically update user information from Okta
Security Settings
- Certificate Management: Upload and manage SAML signing certificates
- Encryption: Enable SAML response encryption
- Audit Logging: Log all SSO authentication events
- Access Control: Configure IP restrictions and access policies
Use Cases
Enterprise Authentication
- Centralized Identity: Use existing Okta user accounts for ept AI access
- Security Compliance: Meet enterprise security and compliance requirements
- User Management: Leverage Okta's user lifecycle management
- Access Control: Use Okta policies for conditional access
Multi-Factor Authentication
- MFA Integration: Leverage Okta's MFA capabilities
- Risk-Based Authentication: Use Okta's risk-based policies
- Device Trust: Integrate with Okta's device trust features
- Biometric Authentication: Support biometric authentication methods
Group-Based Access
- Role Assignment: Automatically assign ept AI roles based on Okta groups
- Department Access: Control access by organizational departments
- Project Teams: Manage access for project-specific teams
- Temporary Access: Use Okta's time-based access policies
Best Practices
Security Configuration
- Certificate Management: Regularly rotate SAML signing certificates
- Attribute Security: Only request necessary user attributes
- Access Policies: Configure appropriate access policies in Okta
- Audit Monitoring: Monitor SSO authentication logs regularly
User Experience
- Branding: Configure consistent branding across Okta and ept AI
- Error Handling: Provide clear error messages for authentication issues
- Fallback Options: Configure fallback authentication methods
- User Training: Train users on the new sign-in process
Integration Management
- Testing: Regularly test the SSO integration
- Documentation: Maintain up-to-date configuration documentation
- Monitoring: Monitor integration health and performance
- Updates: Keep both Okta and ept AI updated
Troubleshooting
Common Issues
Authentication Failures:
- Verify SAML certificate is valid and not expired
- Check attribute mapping configuration
- Verify ACS URL and Entity ID match exactly
- Review Okta application configuration
User Provisioning Issues:
- Check attribute mapping in both Okta and ept AI
- Verify user attributes are being sent correctly
- Review user creation and update rules
- Check group synchronization settings
Session Management:
- Verify session timeout configurations
- Check single logout (SLO) configuration
- Review browser cookie settings
- Test session renewal process
Getting Help
- Okta Documentation: Okta SAML Configuration
- SAML Testing: SAML Tracer browser extension
- Support: Contact support@ept.ai for integration assistance
Related Resources
-
Users - Manage user access and permissions
-
Azure AD Integration - Alternative enterprise SSO option
-
Google Workspace Integration - Google-based SSO option