If you are not done so, we strong encourage you to review our article: How Okta Single Sign-On Works before proceeding.
- Login to eSPACE as a user with administrative privileges.
- Navigate to Settings >> Other >> Developer >>Single Sign-on
- Select Okta as the provider
- Copy the entire Single Sign On URL and paste it in a text editor for later use. It is the URL that looks something like this:
- Open a new tab, go to your Okta account, and continue with the steps in the "In Okta" section below. DO NOT close or save your progress in eSPACE just yet.
- Sign in to your organizations Okta account using a login account with administrative privileges.
- Navigate to the admin panel, then to Applications >> Applications.
- Click to "Create App Integration"
- Select "SAML2.0" and click Next
- Fill in the General Settings as follows, then click "Next"
- App Name: eSPACE
- App Logo: (download from here)
- App Visibility - Whatever your organization's preferences are.
- Fill in the "Configure SAML" tab as follows and click "Next"
- General Section
- Single sign on URL: This should be the value from #4 in the eSPACE setup section above.
- Ensure "Use this for Recipient URL and Destination URL" is checked.
- Audience URI: ministryID
- Name ID format: EmailAddress
- Application Username: Email
- (This item may not be visible) Update Application Username on: Create and update
- Attributes Statement: Add the following attributes:
- General Section
- On the Feedback page, select "I'm an Okta customer adding an internal app". Leave all other default options and click "Finish"
- Return to the "General" tab and scroll down to the App Embed Link section. Find the URL in the "Embed Link" field and copy the entire address. You will be pasting this into a setting field in eSPACE.
- Go back to your eSPACE tab in your browser and continue with the eSPACE setup.
Back in eSPACE on the SSO Setup page.
- Find the "Okta Identity Provider Single Sign-On URL" and set it to the value you copied from step 9 in the previous section. It should be something like this:
- Select an Integration Admin. This person will be notified when someone tries to access eSPACE from Okta, but they don't have an eSPACE account. eSPACE will create an account for them, but set them to be "inactive" and send a notification to the Integration Admin to let them know (and activate their account in eSPACE
And finally, back in Okta, go to the Assignments tab. If you were last on the "How to configure SAML 2.0 for eSPACE..." page, you may need to go back, or switch to the other browser tab for Okta to find the "Assignments" tab. Use the "Assign" button to specify which Okta users are permitted to access your organization's eSPACE account. If they do not have an eSPACE account, or they do but with a different email address, one will be created for them the first time they try to login via Okta SSO. Please be sure to see our article How Okta Single Sign-On Works for more details.