How to set up SAML 2.0 with OptiSigns and Okta

With Pro Plus and Enterprise plan, you can configure SAML 2.0 with OptiSigns via Okta.

Assuming you already using Okta for identity management. If you have not used Okta, it is the leading identity management platform, you can learn more here.

 

Set up OptiSigns & Okta:

First you need to do some set up in OptiSigns:

If you don't have a sub domain yet, you can set up one by going to:
https://app.optisigns.com/app/s/branding-settings

Fill in subdomain field and click Activate. After that you can use this sub domain for "
You can also map your own domain like digitalsigns.yourcompany.com by following this article.

This will be the URL that you can share with your users so they can log in to use the app, once integration has set up. In our example we will use https://advanced.optisigns.net/

mceclip13.png

Next go to SAML Single Sign On setting page:

https://app.optisigns.com/app/s/saml-settings

Click Enable SAML SSO.

The settings are:

  • Enable Username & Password login: Allow users to also log in with username/password. It’s recommended to disable once integration is all done. As Admin/Owner, it's recommended that you keep at least 1 account with password log in, in case there's issues, you can always log back in from app.optisigns.com to reconfigure.
  • Enable User Creation: If users are authenticated, but do not exist in OptiSigns, they will be created in OptiSigns. You should enable this, because you likely already assign/approve users/groups to use OptiSigns, unless for some reason you want to be very strict and want to review roles of users before they can start using OptiSigns.
  • Enable User Override: Every time a user logs in, if their group assignment have changed on SAML, OptiSigns will update, override new profile settings.
  • Note the "Single Sign On URL" and "Audience URI (SP Entity ID) URL", you will need this to use in Okta later.

mceclip0.png

 

Next, add OptiSigns as an App in your Okta account:

Log in to your Okta account as admin -> Application

Or go to: https://optisigns-admin.okta.com/admin/apps/active

Click Create App Integration

mceclip0.png

Select SAML 2.0

mceclip1.png

Enter App name: OptiSigns

If you want to upload logo, you can use our logo here.

Click Next

mceclip2.png

In "Single sign in URL" and "Audience URI (SP Entity ID)", these are the URL that you have in https://app.optisigns.com/app/s/saml-settings
Check "Use this for Recipient URL and Destination URLs"

Click Next.

mceclip5.png

mceclip6.png

The last step is just informational for Okta to know how you are using the app.

Select "I'm an Okta customer adding an internal app" as OptiSigns is now an internal app to your organization.

Click Next.

mceclip8.png

 

Then click "View Setup Instruction"

mceclip9.png

Copy these 3 fields and paste in OptiSigns' SAML config page:

  • Identity Provider Single Sign-On ULR -> OptiSigns: SAML 2.0 Endpoint (HTTP)
  • Identity Provider Issuer -> OptiSigns: Identity Provider Issuer
  • X.509 Certificate -> OptiSigns: Public Certificate

okta-config.png

 

Lastly, set the "Sign In Button label", this is the text of the button you want your users to see in their login portal. Use something descriptive  like "Log in with Okta" or "Sign in with SSO" or something your user familiar with.

okta-config-2.png

Click Save

Now your log in portal & integration is all set up.

Next you need to assign users, groups that can use OptiSigns.

 

Assign & map users, groups from Okta to OptiSigns

It's not required, but recommended to create groups of users to be assigned, map to OptiSigns Roles, Teams so they will automatically have the right role & group.

IMPORANT NOTE: If you don't configure this, all users will be assigned User Role & Default Team (screenshot see below)

 

To configure how OptiSigns should map the user groups to OptiSigns Roles by going to: https://app.optisigns.com/app/s/saml-settings

Scroll to Advanced Settings and create mapping.
Group Name (group names in Okta), Role (role in OptiSigns) mapping. 
mceclip1.png

It's best practice to create group name prefix with optisigns- and map to OptiSigns like below:

  • optisigns-admins (SAML group) -> OptiSigns role: Admin
  • optisigns-users (SAML group) -> OptiSigns role: Users
  • optisigns-custom-role (SAML group) -> OptiSigns custom role that you create

How to handle Unmapped users/group:

You can map the "Unmapped users/group" to No Team (Disabled)

This way they will receive an error when trying to log in and will have to reach out to Admins to get  correct teams, roles assigned. This is can be use as safe guard, in case some user accidently got assigned OptiSigns app but not the right groups.

mceclip3.png

Note that if you map a SAML group to a Team and then delete the team, it will result in new user being mapped to No Team and will have to contact you to be assigned to a team to use the app.

 

Next, go to your Okta Admin portal. Click Applications -> OptiSigns.

mceclip11.png

Click Assign -> People or Groups to use this app. You can also configure your user to request to use the app, but that's beyond the scope of this article.

mceclip12.png

You can set up group mapping by going to General -> SAML settings

mceclip2.png

Click Next:

mceclip3.png

Create these mappings, this will pass information to OptiSigns on what's user's Name and Groups.

mceclip4.png

The "Attribute Statement" and "Group Attribute Statement" are corresponding to OptiSigns https://app.optisigns.com/app/s/saml-settings

OptiSigns accept firstName, lastName, group by default, but if you changes these in Okta, you will need to match it here as well.

mceclip2.png

 

 

That's it!

You have configured SAML 2.0 for OptiSigns with Okta.

Now your users can log in using the sub domain that you configured (in this case it was https://advanced.optisigns.net/signIn).

You can share the URL with your users and they can log in with their SSO credential.

 

If you have any additional questions or any feedback about OptiSigns, feel free to reach out to our support team at support@optisigns.com or just submit a ticket here.

 

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.