Using Okta for SSO with Showpad

  • Updated

What's in it for you

Showpad offers a SAML-based Single Sign-On (SSO) service that allows users to use their organization’s credentials to access Showpad. It eases your users' lives with fewer usernames and passwords, as there's only one account to remember.

This article describes how you can set up SSO for Showpad using Okta as the Identity Provider (IDP). Okta users are mapped to Showpad users by email address.

See how it looks

IMG_0059.png

Key features

  • Users can access Showpad with their Okta account
  • Auto-provision & assign users to the right groups in Showpad
  • Reduce security threats to sensitive data loss
  • Centralized user, password and authorization management

You need this to succeed

  • Ultimate pricing plan on Showpad
  • Administrator access on both Showpad's Online Platform and Okta
  • Some Okta knowledge can be useful
  • Add some users on Okta

The quick way to awesomeness

  1. Create a new SAML 2.0 app in Okta
  2. Use EmailAddress as Name ID and Email as the Application username
  3. Add the Attribute Statements
    firstname   user.firstName
    lastname   user.lastName
    email   user.email
    role   user.role
    usergroups   Regex: ^(?!Everyone$).*

  4. Save this as an internal app
  5. Download the XML metadata and paste this in Showpad's Online Platform, SSO settings
  6. In the User Identity section, make sure you enable Identity resides in the NameID element of the subject
  7. The NameID from Okta should be mapped to a Showpad email address
  8. Activate auto-provisioning
  9. Copy the Assertion Consumer Service (ACS) endpoint and paste this URL in the Edit SAML Integration page in Okta

Do this step by step

  1. In Okta's Classic UI View, click on Add Application and select Create New App.
    Acme-dev-237944_-_Applications.png
  2. Select Web and SAML 2.0 as a Sign on method. Click Create.
    Acme-dev-237944_-_Applications.png
  3. Give your app a name, preferably Showpad. You can add a custom logo and edit the App visibility as shown in the wizard.
    Acme-dev-237944_-_Applications.png
  4. Enter your SAML Settings to generate the XML that's needed for the SAML requests.
    It's important to select EmailAddress as Name ID and Email as the Application username. We can change the Single Sign on URL and Audience URI later.
    Acme-dev-237944_-_Applications.png
  5. Some extra information: If you want to manage the user role in Okta, you can create a new field in Okta by going to Directory, Profile editor, edit user, Add Attribute.

    Make a new attribute called User role, Variable name: role, with datatype string and required attribute checked. You can fill in the role. Values can be admin/tablet for example when you create a new user in Okta.
    Acme-dev-237944_-_Universal_Directory.png
    Okta only allows sending usergroups based on a filter ("Starts with", "Contains", "Equals" or "Regex".) If we choose a regular expression (regex), we can send all usergroups from Okta for that user. We ignore the default "Everyone" usergroup from Okta because we would have the following usergroups in Showpad after auto-provisioning: All users, Everyone.
    The final regex can be something like this: ^(?!Everyone$).* to send every usergroup except the default Everyone okta usergroup, or use .* to send every usergroup.

    Add the Attribute Statements. The attribute statements are the data that is sent to Showpad. The attribute name (left) is the name that we'll enter in Showpad to map to our data.
    The attribute values (right) are the values from Okta that we map to these attributes.
    We fill in the Okta user email address by using user.email and map it to the email attribute. 

    firstname   user.firstName
    lastname   user.lastName
    email   user.email
    role   user.role
    usergroups   Regex: ^(?!Everyone$).*

    Acme-dev-237944_-_Applications.png
  6. Select that this is an internal app and click Finish.
    Acme-dev-237944_-_Applications.png
  7. Go to the Sign on tab of your app. You will see a link to Identity Provider Metadata. Click on this link to download the XML metadata.
    Acme-dev-237944_-_Showpad__Showpad.png
  8. Open Showpad's Online Platform and go to your Admin Settings, Sign-On and Enable.
    SSO_config.png
  9. We will now add the metadata source to this new Okta - SAML 2.0 Service. Paste the XML data you downloaded. 

    If you have an online location for this metadata, you can provide the URL to the XML file. This allows you to update your settings online, instead of uploading updated XML metadata when the configuration changes.

    In the User Identity section, make sure you enable Identity resides in the NameID element of the subject.

    The NameID from Okta has been set up earlier as the email address, which meets Showpad's requirement that an identity should be mapped to a Showpad email address.
    Showpad_Online_Platform.png
  10. If needed, you can also set up auto-provisioning to automatically allow new users to be created when they log in successfully via Okta. Click Submit.
    Showpad_Online_Platform.png
  11. Once configured, you will be presented with the Assertion Consumer Service (ACS) endpoint. Copy this URL.
    Showpad_Online_Platform.png
  12. Go back to the Edit SAML Integration page in Okta and edit the SAML settings with the new data. Click Next and Finish.
    Acme-dev-237944_-_Applications.png
  13. You need users in your Okta environment. Please import or create your users if you haven't done so. When you log in to your Showpad account, you now have the option to use the Okta service.Okta_login.png

Related articles