Loading ...

Okta SSO | Communifire Documentation

Home » communifire documentation » Wiki » Documentation » Login » Single Sign On (SSO) » Okta SSO
Communifire Documentation  Wiki
Public Space
Activity Stream Content
Version 27

Okta SSO

 /5
0 (0votes)

Communifire supports Okta integration for single-sign on (SSO). This page covers information about Okta SSO, walks you through how to configure Okta SSO on your intranet, and provides solutions to common issues. For more information or assistance from the Axero team, submit a private case.

Login Experience

On visiting your intranet, users will be re-directed to the Okta log in page.

Logging in with Communifire credentials

You can allow users to log in using Communifire credentials. Set System Properties > EnableAutoLoginViaSaml to false. When this property is set to false, users will see the Communifire login page. Users can either log in with Communifire credentials or click Login via SAML to sign in using Okta credentials.

Return to top

Mobile App Login Experience

In the mobile app, users will be re-directed to the Okta log in page after entering the site URL.

Logging in with Communifire credentials

You can allow users to log in using Communifire credentials. Set System Properties > EnableAutoLoginViaSaml to false. When this property is set to false, users will see the Communifire login page. Users can either log in with Communifire credentials or click SSO Login to sign in using Okta credentials.

Return to top

Adding Users

A user is created in Communifire when the user logs in for the first time. You can add users to Communifire before they log in using the methods below.

Bulk import users

Pre-populate users before Okta setup or launch with Bulk Import Users . The Communifire usernames you create must match the usernames in Okta.

Add users

Add users in Control Panel > People > Manage People > Add User . The Communifire username you create must match the username in Okta.

REST API

You can use our REST API to import users - REST API: Add User , REST API: Update User Profile Fields .

Adding Communifire administrator accounts

If Communifire administrator accounts are created before Okta is set up and the Communifire usernames match Okta usernames, the administrator accounts will sync with the corresponding Okta accounts. If not, you will need to re-configure permissions for the admin Okta accounts and remove the previous Communifire administrator accounts.

Return to top

Importing Data

Any data can be imported from Okta, as long as there are corresponding User Profile Fields in Communifire. Attribute mappings must be added to Control Panel > System > Single Sign On > Data Mapping > SAML. Enter the attribute name as the property name in Communifire. See the table below for common fields to import.

Name Value
Email user.email
GivenName user.firstName
Surname user.lastName
Company user.organization
Title user.title
Department user.department
streetAddress user.streetAddress
city user.city
state user.state
zipCode user.zipCode
countryCode * user.countryCode
TelephoneNumber user.mobilePhone or user.primaryPhone

* The country code in Okta must match country options in Communifire exactly.

You can also use our REST API to import user data into Communifire.

Return to top

Syncing Data

User data is updated in Communifire every time a user logs in.

Email and username change

When a user's email is changed in Okta, the user's Communifire email will be updated the next time they login. The Communifire username won't be changed and must be updated manually by a site administrator.

Return to top

Disabled Users

When a user's assignment is removed in Okta, the user will be blocked from logging into Communifire using Okta.

The user's account will still be active in Communifire. You can Delete User and delete their content or re-assign their content to another user or to the system anonymous user. You can also Ban User , which will retain their content.

Return to top

Setup Guide

This guide walks you through how to enable Okta SSO in Communifire. Client-side setup is estimated to take 1-2 hours and Communifire team setup is estimated to take 1-2 hours. The time to set up SSO can vary based on how long it takes to set up internal systems and to provide the Communifire team with required information. The total time for setting up SSO may take up to 1-2 business days.

Once you complete the guide, Okta SSO will be active on your intranet. If you run into any issues, submit a case here for assistance.

Configure Okta SSO
  1. Click Applications > Applications.
    Click Applications > Applications
  2. Click Add Application.
    Click Add Application
  3. Search for Communifire.
  4. Click Communifire.
    Click Communifire
  5. Click Add.
    Click Add
  6. Update the Application label.
  7. Enter your site URL in Base URL.
    Example:
    General Settings example
  8. Click Done.
    Click Done
  9. Click Sign On.
    Click Sign On
  10. Click Edit.
    Click Edit
  11. Expand Attributes.
  12. Add attributes to pull into Communifire. By default, Email, GivenName, and Surname are pulled into Communifire.

    Basic attributes to add:
    Name Value
    Company user.organization
    Title user.title
    Department user.department
    streetAddress user.streetAddress
    city user.city
    state user.state
    zipCode user.zipCode
    countryCode user.countryCode
    TelephoneNumber user.mobilePhone or user.primaryPhone
    Example:
  13. For Application username format, select Email.
    Select Email
  14. Click Save.
    Click Save
  15. Click View Setup Instructions.
  16. Copy the Identity Provider Single Sign-On URL and save it for later.
  17. Copy the Identity Provider Issuer and save it for later.
  18. Download the X.509 Certificate.
  19. Click Assignments.
  20. Assign users or groups to the app.



Provisioning

To configure provisioning, see Okta SCIM Configuration Guide .

Return to top

Configure Communifire
  1. In Communifire, go to Control Panel > System > Single Sign On.
  2. Select SAML.
  3. Click Save.
  4. Enter the following information:
    • Partner Identity Provider URL: Enter the Identity Provider Issuer you copied.
    • Single Sign On Service URL: Enter the Identity Provider Single Sign-On URL you copied.
    • Relying Party Trust Identifier: Enter your intranet URL.
    • Single Logout Service URL: Enter the Identity Provider Single Sign-On URL you copied.
    • Partner Identity Certificate (CER): Upload the X.509 Certificate file. (okta.cer)

      Example:
  5. Click Update.
  6. Click Data Mapping.
  7. For Type, select SAML.
  8. Add attribute mappings. The Property Name should match the attribute name you entered in Attribute Statements in Okta.
    Example:
  9. Click Update.
  10. Submit a private case to have our team provide the Service Provider Certificate (PFX) and Certificate Password.

Return to top

Assign Users in Okta
  1. Click Assignments.
  2. Assign users or groups to the app.



Return to top

Adding Okta Groups in SAML

You can add Okta Groupings into your Communifire SAML fields by doing the following:

1. Go to Control Panel>System>Single Sign On

2. Under Data Mapping select Type SAML

3. Press Add. Enter in the label you wish to call the grouping property (in this example its called GroupName) then select Okta Groups from the drop down. Press Update.

4. Navigate to your Okta Administration page and select the application for Communifire.

5. Click the Sign On tab. Under Settings expand the Attributes then press Edit.

 

6. Scroll down to the Group Attribute Statements (optional) section and add the "GroupName" label made in Communifire with the Filter "Matches regex" and Value "\w+". 

7. Scroll down and Click Save.

8. Now the Okta Grouping comes across as a property for users to be acted upon.

EXAMPLE Personas:

Troubleshooting

Exception: "The partner identity provider http://www.okta.com/xxxxxxxx is not configured."

Go to Control Panel > System > Advanced System Utilities and click Restart Site.

Exception: "UserRepository.AddUserWithSAMLActiveDirectoryProperties Error" when a new user tries to login. "InvalidPassword" in stack trace.

Go to Control Panel > System > General Settings > Advanced Settings. Set "Maximum length for password" to a value over 25.

Exception: "UserRepository.AddUserWithSAMLActiveDirectoryProperties Error" when a new user tries to login. "Failed" in stack trace.

Go to Control Panel > System > General Settings > Advanced Settings. Set "Minimum length for username" to a lower value. Set "Maximum length for username" to a higher value.

Return to top

Wiki Index

Pages

Intranet Software