This article assumes that you understand the basics of single sign-on (SSO). This SSO Wikipedia page may be helpful to read, but for this article it's important to understand that SSO allows authentication of a person on one site to be used to authenticate that same person on another site. This is commonly found on sites that show on their login page that people can "Login with Google". The site has a secured and trusted "partnership" with Google, such that if Google says "yes, this person is who they say they are", the site will believe them.
eSPACE has this secured and trusted partnership with Okta, and if Okta vouches for a user's identity, eSPACE will believe it. But for this to work, there is a little bit of setup that must take place in your eSPACE account and your Okta account. We created this article to describe the steps needed to set up both sides of the SSO connection.
Okta Users vs. eSPACE Users
It's important to understand that a user account in eSPACE may be connected to a user account in Okta, and they (hopefully) represent the same person, but they are not same account. Deleting an account in Okta will NOT delete the account in eSPACE (nor vice versa). In fact, even just suspending an account Okta won't suspend the account in eSPACE. What this will do is keep the person from being able to log in to eSPACE via Okta. However, because they are separate accounts, the person will be able to use the "Forgot Password" link on the eSPACE login page, and have a password sent to them such that they can log in directly to eSPACE without going through Okta. Thus, if someone needs to be removed or suspended in Okta and the user should no longer have access to eSPACE, the administrator should log in to eSPACE and delete or inactivate their account there as well.
"Assigning" Okta User to eSPACES
If you use Okta, you probably know it is more than just an authentication service. It allows users to be managed - specifically to be granted or denied access to connected applications. Once your organization's eSPACE and Okta accounts are connected, you will need to assign Okta users to be able to access eSPACE (in the Okta admins console). If you've used Okta before, this should be familiar to you.
Okta users not assigned to the eSPACE application cannot get in to eSPACE via Okta authentication. However, if they have an eSPACE account already, they can bypass this by logging in to eSPACE directly, as noted in the "Okta Users vs. eSPACE Users" section above.
Accessing eSPACE Via Okta
There are two ways assigned users will be able to access eSPACE through Okta. The first is from their Okta Dashboard. As an assigned user, the eSPACE application will appear on their Okta dashboard and they simply need to click it to be automatically logged in.
If your organization is using Okta with other applications, this dashboard will likely have several other applications showing.
The other way users can get logged in to eSPACE is by clicking the "Log in with Okta" button on the eSPACE login page. Doing so will take them to a page where they need to enter their email address. This is necessary because eSPACE needs to know with which Okta-connected organization the user is associated. Once identified, the user's browser is directed to the appropriate Okta account. If Okta recognizes the user (which it should if the user has a persistent session with Okta), AND the user is assigned to the eSPACE application, then Okta will log the user into eSPACE, and they will land on their eSPACE dashboard. If Okta does not recongize them, it will present them an Okta login page. Once they log in there, Okta will see if they are assigned to the eSPACE application, and log them in to eSPACE accordingly.
There actually is a third way users could access eSPACE via Okta. On the Okta SSO Setup page, once the setup is complete, there is a link that users can bookmark. The link points to a special page on eSPACE that will log them in via Okta SSO, but not require them to enter their email address. Admins are welcome to share this link with their team, if they wish.
If an Okta user is not assigned to eSPACE, they will not see the eSPACE application on their Okta dashboard, so they will not be able to simply click it to get logged in. If the user tries to access eSPACE via the Login with Okta button or using the special link, Okta will fly a message telling the user they do not have access to the application. However, as mentioned above, the user may still have an active account in eSPACE, and will be able to login using their email address and eSPACE password (or the Forgot Password link).
Assigning New Okta Users to eSPACE
When you assign a user (in Okta) to the eSPACE application, it is their email address serves as the identifying information between both systems. If the user has an eSPACE account already, and their email address in both system are the same, they will be able to log in to their existing eSPACE. However, if they do not have an eSPACE account, the following chain of events happen.
- eSPACE creates a new account for them.
- The new account is set to "inactive"
- An email is sent to the Integration Admin (as defined on the Okta SSO Setup page) letting them know that a new eSPACE account has been created but needs them to enable it and set up the permissions and roles.
- The user trying to access eSPACE for the first time is notified with an on-screen message saying their account has been created, but that an eSPACE admin needs to enable it before they can log in.
Keep in mind, if the user already has an eSPACE account with a different email address, eSPACE will not know this is the same user, and a new eSPACE login account will be created for them (with the steps above).
If you have any questions, please feel free to create a support request to ask. We'll be happy to answer and assist.