What's in it for you
Showpad offers a SAML-based Single Sign-On (SSO) service that allows users to use their organization’s credentials to access Showpad. It eases your users' lives with fewer usernames and passwords, as there's only one account to remember.
This article describes how you can set up SSO for Showpad using Okta as the Identity Provider (IDP). Okta users are mapped to Showpad users by email address.
See how it looks
- Users can access Showpad with their Okta account
- Auto-provision & assign users to the right groups in Showpad
- Reduce security threats to sensitive data loss
- Centralized user, password and authorization management
- You can use a Showpad app for Okta that allows setting up SSO
You need this to succeed
- Ultimate pricing plan or Platform Enterprise on Showpad
- Available as an add-on on Showpad Plus pricing plan
- Administrator access on both Showpad's Online Platform and Okta
- Okta knowledge can be useful
- Users added on Okta
The quick way to awesomeness
Using the Showpad app in Okta
- Install the Showpad app in Okta
- Open the Sign on tab
- Copy the URL that points to the Identity Provider metadata
- Open Showpad's Online Platform and add a new Single Sign-on configuration called Okta
- Select URL as Metadata Source and paste the Identity Provider metadata URL
- Enable auto-provisioning
- Copy the Showpad Entity ID and Assertion Consumer Service Endpoint values
- In Okta, paste them in the Advanced Sign-On Settings of the Showpad app
- Save and assign Showpad to the list of Okta users
Do this step by step
Configuring the Showpad app in Okta
- Search for the Showpad app in Okta and click Add.
- Optional: Configure how your users will see the Showpad app on your company's login screen or mobile application and click Done.
- Open the Sign On tab.
- Copy the URL that points to the Identity Provider metadata. We will use this URL later to configure Okta in Showpad's Online Platform.
- Leave the Sign On window open in Okta and open a new tab in your browser. Go to Showpad's Online Platform and open Admin Settings.
- Open the Sign-On tab and click Add Configuration.
- Give your new configuration a name, preferably Okta, and select SAML 2.0 as the protocol.
- Select URL as Metadata Source and paste the Identity Provider metadata URL in this field. Use SHA-256 as Hash algorithm and select the NameID element as User Identity. Showpad supports the older SHA-1 format as well.
- You can enable auto-provisioning. This means that when a user signs in to Showpad for the first time, using Okta credentials, the user will be automatically created in Showpad. Click Save.
- Open the information window of your new configuration.
- Make a copy of the Showpad Entity ID and Assertion Consumer Service Endpoint values, then click Ok.
- Go back to Okta, and open the Sign On tab of the Showpad app. In the Advanced Sign-On Settings, paste the information you copied from Showpad's Online Platform.
- Save the configuration.
- Assign the Showpad application to your Okta users.
- Users will now be able to sign in using their Okta account.
Using Showpad user groups and Okta
Okta allows sending usergroups to Showpad based on a filter ("Starts with", "Contains", "Equals" or "Regex".) If we choose a regular expression (regex), we can send all usergroups from Okta for a specific user.
We want to ignore the default "Everyone" usergroup from Okta because we would have the following duplicate-sounding usergroups in Showpad after auto-provisioning: "All users", "Everyone".
The regex can be something this: ^(?!Everyone$).* to send every usergroup except the default Everyone okta usergroup, or use .* to send every usergroup.
Note: While group creation can be done through Okta, if the group doesn't already exist, with experiences assigned to it, the new users won't see any content when they sign in. This means that when a user signs in, with a new user group, that group will not have any experiences associated with it by default.
Add the Attribute Statements. The attribute statements are the data that is sent to Showpad. The attribute name (left) is the name that we'll enter in Showpad to map to our data.
The attribute values (right) are the values from Okta that we map to these attributes.
We fill in the Okta user email address by using user.email and map it to the email attribute.
Make a new attribute called User role, Variable name: role, with datatype string and required attribute checked. You can fill in the role. Values can be admin/tablet for example when you create a new user in Okta. If you want to manage the user role in Okta, you can create a new field in Okta by going to Directory, Profile editor, edit user, Add Attribute. Select that this is an internal app and click Finish.