Using Okta for SSO with Showpad

What's in it for you

Showpad offers a SAML-based Single Sign-On (SSO) service that allows users to use their organization’s credentials to access Showpad. It eases your users' lives with fewer usernames and passwords, as there's only one account to remember.

This article describes how you can set up SSO for Showpad using Okta as the Identity Provider (IDP). Okta users are mapped to Showpad users by email address.

See how it looks

Key features

• Users can access Showpad with their Okta account
• Auto-provision & assign users to the right groups in Showpad
• Reduce security threats to sensitive data loss
• Centralized user, password and authorization management

You need this to succeed

• Plus or Ultimate pricing plan on Showpad
• Administrator access on both Showpad's Online Platform and Okta
• Some Okta knowledge can be useful
• Add some users on Okta

The quick way to awesomeness

1. Create a new SAML 2.0 app in Okta
2. Use EmailAddress as Name ID and Email as the Application username
3. Add the Attribute Statements
   
   

   firstname		user.firstName
   lastname		user.lastName
   email		user.email
   role		user.role
   usergroups		Regex: ^(?!Everyone$).*

   
   
4. Save this as an internal app
5. Download the XML metadata and paste this in Showpad's Online Platform, SSO settings
6. In the User Identity section, make sure you enable Identity resides in the NameID element of the subject
7. The NameID from Okta should be mapped to a Showpad email address
8. Activate auto-provisioning
9. Copy the Assertion Consumer Service (ACS) endpoint and paste this URL in the Edit SAML Integration page in Okta

Do this step by step

1. In Okta's Classic UI View, click on Add Application and select Create New App.
   
2. Select Web and SAML 2.0 as a Sign on method. Click Create.
   
3. Give your app a name, preferably Showpad. You can add a custom logo and edit the App visibility as shown in the wizard.
   
4. Enter your SAML Settings to generate the XML that's needed for the SAML requests.
   It's important to select EmailAddress as Name ID and Email as the Application username. We can change the Single Sign on URL and Audience URI later.
   
5. Some extra information: If you want to manage the user role in Okta, you can create a new field in Okta by going to Directory, Profile editor, edit user, Add Attribute.
   
   Make a new attribute called User role, Variable name: role, with datatype string and required attribute checked. You can fill in the role. Values can be admin/tablet for example when you create a new user in Okta.
   Okta only allows sending usergroups based on a filter ("Starts with", "Contains", "Equals" or "Regex".) If we choose a regular expression (regex), we can send all usergroups from Okta for that user. We ignore the default "Everyone" usergroup from Okta because we would have the following usergroups in Showpad after auto-provisioning: All users, Everyone.
   The final regex can be something like this: ^(?!Everyone$).* to send every usergroup except the default Everyone okta usergroup, or use .* to send every usergroup.
   

   Note: If a group does not exist in Showpad when the user is provisioned, it will be created and the user will be added to it. Automatic group assignments are only made when a new user is provisioned, and not upon subsequent logins for that use.

   Add the Attribute Statements. The attribute statements are the data that is sent to Showpad. The attribute name (left) is the name that we'll enter in Showpad to map to our data.
   The attribute values (right) are the values from Okta that we map to these attributes.
   We fill in the Okta user email address by using user.email and map it to the email attribute. 
   
   

   firstname		user.firstName
   lastname		user.lastName
   email		user.email
   role		user.role
   usergroups		Regex: ^(?!Everyone$).*

   
   
6. Select that this is an internal app and click Finish.
   
7. Go to the Sign on tab of your app. You will see a link to Identity Provider Metadata. Click on this link to download the XML metadata.
   
8. Open Showpad's Online Platform and go to your Admin Settings, Sign-On and Enable.
   
9. We will now add the metadata source to this new Okta - SAML 2.0 Service. Paste the XML data you downloaded. 
   
   If you have an online location for this metadata, you can provide the URL to the XML file. This allows you to update your settings online, instead of uploading updated XML metadata when the configuration changes.
   
   In the User Identity section, make sure you enable Identity resides in the NameID element of the subject.
   
   The NameID from Okta has been set up earlier as the email address, which meets Showpad's requirement that an identity should be mapped to a Showpad email address.
   
   By default, we will use the recommended SHA-256 hash algorithm, but Showpad supports the older SHA-1 format as well.
   
10. If needed, you can also set up auto-provisioning to automatically allow new users to be created when they log in successfully via Okta. Click Submit.
    
11. Once configured, you will be presented with the Assertion Consumer Service (ACS) endpoint. Copy this URL.
    
12. Go back to the Edit SAML Integration page in Okta and edit the SAML settings with the new data. Click Next and Finish.
    
13. You need users in your Okta environment. Please import or create your users if you haven't done so. When you log in to your Showpad account, you now have the option to use the Okta service.